Dictionary Attack

[noimad1]

Hi,

I believe one of my servers is being attacked through one of my customers e-mail. Someone is basically sending e-mails to random accounts at his domain from random e-mail accounts from somewhere else. Each of their messages is coming from a unique e-mail address and a unique IP address.


Now, we have some MailScanner installed and their dictionary ACL installed. So we are blocking tons of IP addresses, but they keep coming at us with new ones. We also have his default acocunt set to "fail:", however, they are hitting the server so hard that it doesn’t seem to be making any difference. They are basically taking this server offline with so many connections.

I tried suspending his account, but that doesn't seem to make a difference either.

Here is a quick snapshot of my exim_mainlog. I am seeing basically blocks like this every second:

2007-02-19 12:41:07 H=ns33.hostinglmi.net [213.194.149.236] F=<> rejected RCPT <emineralogy@hisdomain.com.com>: no such address here
2007-02-19 12:41:07 H=colo.ir.miami.edu [129.171.4.15] F=<> rejected RCPT <voceanographer@hisdomain.com.com >: no such address here
2007-02-19 12:41:07 H=mail.flexfab.com (pecan.fhi-domain.com) [12.106.149.18] F=<dswoope@flexfab.com> rejected RCPT <qomquebec@ hisdomain.com.com>: no such address here
2007-02-19 12:41:08 H=ns1.consolemul.com (consolemul.com) [82.138.68.46] F=<> rejected RCPT <pqnorm@hisdomain.com.com >: no such address here
2007-02-19 12:41:08 H=mail.congreso.net [66.153.39.114] F=<> rejected RCPT <cbnuzzle@ hisdomain.com.com >: no such address here
2007-02-19 12:41:09 H=cotterpin.hosts.net.nz [210.48.108.203] U=Debian-exim F=<> rejected RCPT <nrhangmen@hisdomain.com.com >: no such address here

I don't know what to do next, and I was wondering if anyone had any suggestions?

[tripper]

check out Chirpy's solution here http://www.configserver.com/free/eximdeny.html should help

Mickalo

[noimad1]

check out Chirpy's solution here http://www.configserver.com/free/eximdeny.html should help

Mickalo

I'm sorry, I should have been more clear. It is Chirpy's Mailscanner and eximdeny ACL that I have installed. It doesn't seem to be helping?

[SonServers]

You wrote that you have the default set to "fail:". It should be ":fail:" with both colons, but maybe you just mis-typed it in the post.

I had the same thing happen that Mailscanner was causing high loads because a spammer was using a domain on my server in the from address which caused the bounces to come back to his domain. Changing the user's default to :fail: stopped the mailscanner load immediately.

[RandyO]

So according to the dictionary documentation:

If the sender server tries four email addresses that don't exist on your server the ACL disconnects the session with the sender server (DROP) and puts the IP address of the sender server into /etc/exim_deny
If the sender server connects again, the ACL first checks /etc/exim_deny and if it finds the senders IP address there the session is immediately disconnected

Why then is my /etc/exim_deny file not being written too? (the mainlog does show numerous dictionary attacks as well

[tripper]

If your using the setup from Chirpy's website, make sure the follow files have the correct settings:

Code:

-rw-r--r--  1 mailnull mail  637 Feb 19 14:28 exim_deny
-rwx------  1 mailnull mail 3156 Jan 25 10:21 exim_deny.pl*
-rw-------  1 mailnull mail  142 Feb 19 14:16 exim_deny_whitelist

this is our setup, and it seems to work quiet well over the past few months.

Mickalo

[sierrablue]

I'm sorry, I should have been more clear. It is Chirpy's Mailscanner and eximdeny ACL that I have installed. It doesn't seem to be helping?

Since every email comes from different IP (basically DDOS) there isn't much you can do except temporarily delete mx record for that domain.

[brianoz]

There is one simple trick that you can do, and I forget what it's called. Most inbound spammers will not try a second MX address if the primary fails. To exploit this:

Make your primary MX point to an IP address that doesn't respond to SMTP connections. That is,

domain.com. IN MX 0 nonexistent.domain.com.
domain.com. IN MX 10 mail.domain.com.

nonexistent IN A 100.100.100.100

You should of course change the "100.100.100.100" to an IP address that you know will not respond to SMTP connections.

The effect of this is to stop most attacks dead in the water.

[noimad1]

There is one simple trick that you can do, and I forget what it's called. Most inbound spammers will not try a second MX address if the primary fails. To exploit this:

Make your primary MX point to an IP address that doesn't respond to SMTP connections. That is,

domain.com. IN MX 0 nonexistent.domain.com.
domain.com. IN MX 10 mail.domain.com.

nonexistent IN A 100.100.100.100

You should of course change the "100.100.100.100" to an IP address that you know will not respond to SMTP connections.

The effect of this is to stop most attacks dead in the water.

Hmm...that is an interesting theroy. However, could this cause problems with actual mail getting delivered?

For now, I have just removed his mx record, and that at least got me back up and running. However, I might take a look at this solution if it isn't going to interfere with legitimate mail.....


Also, thanks for everyone elses replies. I did confirm that we are using ":fail:" just a typo on my part when posting to the forum. I also checked the other files and they all seem to be working with correct permissions. Chirpy's script I believe is doing it's job, because there are literally thousands of IP's being put in the exim_deny file. They just kept coming back with new IP's.

[brianoz]

The MX trick is used widely. It's very safe and won't stop mail being delivered.

Here's a link to the major discussion/paper on it:

http://www.joreybump.com/code/howto/nolisting.html

[mike25]

that is an intresting solution, thanks. I have had this issue over the past several months on a few servers as well.

[noimad1]

Just so you know, that secondary mx trick did not work for me. It worked for like a day....

This guys account has been attacked for at least a week straight....i can't believe it can go on for this long without the persons server who is doing the attack finding out about it....it has to be causing load on his end too....

[brianoz]

... without the persons server who is doing the attack finding out about it....it has to be causing load on his end too....

Does that mean all this attacking is coming from one server? If so, surely you could just block it in a firewall - problem solved!

[noimad1]

Does that mean all this attacking is coming from one server? If so, surely you could just block it in a firewall - problem solved!

I wish it were that easy. I am thinking there is a script out there on one server that is kicking of the attacks from a million proxy servers. That's the way I'm thinking it is working, but mabye i'm wrong.

And there is no way to find out where the actual IP is coming from because of the proxies....?