Attacker scanning ports? Cannot block with firewall?

[mikcanavan]

If I run 'tethereal port 25' I am seeing the same IP over and over again nearly every second or so, trying to send mails to non valid addresses (not even a recognisable TLD to me) and since adding Barracuda RBL, it stopped them starting the connection. Even after I added the following firewall rule, I am still seeing the following attempted (?) connections over and over again.

iptables -L

DROP udp -- 41.211.238.36 anywhere
DROP tcp -- 41.211.238.36 anywhere

tethereal port 25 (xxx is my IP)

105.312757 41.211.238.36 -> XXX.XXX.XXX.XXX TCP 4255 > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
117.231349 41.211.238.36 -> XXX.XXX.XXX.XXX TCP conspiracy > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
118.312939 41.211.238.36 -> XXX.XXX.XXX.XXX TCP 4497 > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
120.313144 41.211.238.36 -> XXX.XXX.XXX.XXX TCP conspiracy > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
138.275320 41.211.238.36 -> XXX.XXX.XXX.XXX TCP 4780 > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
139.316537 41.211.238.36 -> XXX.XXX.XXX.XXX TCP conspiracy > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
141.317076 41.211.238.36 -> XXX.XXX.XXX.XXX TCP 4780 > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
144.814983 41.211.238.36 -> XXX.XXX.XXX.XXX TCP ds-mail > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
147.814687 41.211.238.36 -> XXX.XXX.XXX.XXX TCP 4780 > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
159.851622 41.211.238.36 -> XXX.XXX.XXX.XXX TCP td-postman > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
160.314424 41.211.238.36 -> XXX.XXX.XXX.XXX TCP 4780 > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
163.313533 41.211.238.36 -> XXX.XXX.XXX.XXX TCP td-postman > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
163.815047 41.211.238.36 -> XXX.XXX.XXX.XXX TCP conspiracy > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
166.814780 41.211.238.36 -> XXX.XXX.XXX.XXX TCP 4497 > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
169.815248 41.211.238.36 -> XXX.XXX.XXX.XXX TCP td-postman > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
182.314302 41.211.238.36 -> XXX.XXX.XXX.XXX TCP td-postman > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
184.815357 41.211.238.36 -> XXX.XXX.XXX.XXX TCP 4780 > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
206.816308 41.211.238.36 -> XXX.XXX.XXX.XXX TCP td-postman > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
207.053924 41.211.238.36 -> XXX.XXX.XXX.XXX TCP prat > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
210.313901 41.211.238.36 -> XXX.XXX.XXX.XXX TCP prat > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
212.313715 41.211.238.36 -> XXX.XXX.XXX.XXX TCP conspiracy > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460
216.815507 41.211.238.36 -> XXX.XXX.XXX.XXX TCP prat > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Am I missing something...? If I have blocked this specific IP - why am I seeing these repeated connections over 24 hours later? Am I misinterpretating the tethereal output?

Basically - can I block these attempts?

 

[atomicturtle]

Thats normal, your system is dropping the packets from the attacker. The packets still arrive, they just dont finish the handshake.