Dictionary SPAM Attack !!! Please help. All my tweaks failed

[checked]

On one of our server Redhat 9.0 having a weired problem.Thousand of mails are coming on the server for a domain and for different email ids under that domain whereas no such email id exists on the server or under that domain.

I did a search and found that these types of attacks are called Dictionnary Attack and also found a remedy of this at the following path :

http://linux.cvf.net/cp_eximrules.html

I did the same as told at the above path but still not working and loads of emails are still coming to the sevrers and going to the domain's main mail account (login@domain.com) (because that domain doesn't contains any such email for which the mails are coming here)

Actually these mails are return mails which failed to reach at there recipients and are coming back to our server because the reply address is set to my client's one which is actually not exists on the server.

So, I need a way to fix this problem by stopping mails whos recipients doesn't exist on the server. I did the above tweak but No Luck

[areha]

I am also victim of that, and recieves about 150.000 emails per day (normaly it has been 100-200 per day). However, the only suggestion I have got from cpanel staff is to make the catchall account set to :blackhole:, so that it is deleted. However, this takes a lot! of bandwith, but I do not see how this can be avoided. The emails are going directly to :blackholde:, but then the email is already sent.

I also tried the suggestion on that page, without any success. Now I have given up, and just pay for the traffic and hope it stops.

[checked]

anyone else having any luck with it ?

[casey]

So, I need a way to fix this problem by stopping mails whos recipients doesn't exist on the server. I did the above tweak but No Luck

You have to do the above tweak AND set the default account to :fail:
Then it will work.

[checked]

But How do I set the default account to :fail: ???

[lostinspace]

It's on a per domain basis in the cpanel. Under MAIL MANAGEMENT.

And actually, even though your queue will fill up with timed out messages, I would select BLACKHOLE as opposed to fail. If you tell a spammer there is NO ADDRESS then they can start narrowing the search down.

[checked]

Well I don't know where to do all these changes. So, could you please tell me where should I go under SSH Or WHM to do such changes

If you tell me then I would be greatful to you.

[lostinspace]

go to the cpanel for the domain that is under attack:

domain.com/cpanel

Then go under E-MAIL>DEFAULT ADDRESS

select the root domain (i.e. domain.com not sub.domain.com) and add :BLACKHOLE: for the delivery address.

[checked]

Thank you guys I did the same what you told and it seems fixed. Now the mail queue is not populating and not even the client is getting the junk mails.

EXIM is consuming most of the server resources now

But I am wondering that

Where all the mails are going now ?
Will this Blackhole route going to increase the load of the server ? (I think yes)
Is there any other alternate OR global way to stop Directory Attacks to hit the server, as told above in my first post (which is not working) ?

My Exim version is : exim-4.34-60_cpanel_stmpcontrol_antivirus_rewrite_mailman2_mailtrap_exiscan

[lostinspace]

The e-mails are simply not responded to. The sender will not know whether you received the messages or not.

You can find tons of posts on here about solutions to SPAM. I would say tap some of those resources and see what you come up with.

[checked]

Actually someone is not sending Spam at our server. Spammer is sending mails to other email ids and setting the reply email id for my client's domain like : junk@myclientdomain.com so, in this way wheneven a mail fails to reach it's recipients it bounce back to our server assuming that we are sending the junk mails which is not true. And we are getting thousands of mails every hour.

I did a search and found that this type of Spam is called Directory Attack and followed what other wise men says at here and rackshack :

http://linux.cvf.net/cp_eximrules.html

But it is not working even eximis not giving any errors and restarted sucessfully. I also restarted it via SSH to make sure that it is running fine and it is but not able to block the mails whose recipients doesn't exist on the server. I don't know how it is working for others if it is not working for me ?

[easyhoster1]

Create a file called .forward and add

/dev/null

Then FTP it to the default username shell

/home/username

All email for anything@ with then be bypassed

[rvskin]

I prevent this using RBL. Around 40-60% of all incoming email were blocked and help lower the server load (a lots) especially server that run mailscanner, spamassasin, and etc.

[rs-freddo]

Instead of simply:

accept domains = +local_domains

use:

accept domains = +local_domains
endpass
message = Invalid recipient account
verify = recipient

In the cpanel exim editor.

Set the default email address to ":fail: no such account"
Set up forwards to the main email account (ie. info@domain.com to user@servername.com).
They still pickup mail at their main account, without having to setup and collect using extra pop boxes.

What this does is block at SMTP - this is the most efficient way of blocking unwanted emails.

[checked]

Instead of simply:

accept domains = +local_domains

use:

accept domains = +local_domains
endpass
message = Invalid recipient account
verify = recipient

In the cpanel exim editor.

This is what exactly I'm doing but I am wondering that it is not working at all.

I know if I set the user's main to :blackhole: then it will stop all these spam at this point but If I do so then I would not be able to stop it at the entry point where it should be denied immediately.

Okay here is a part of my Exim Config according to what it is editable under the WHM :

First Editable Box
##############################
HOSTREJECTRCPT1=/etc/exim/acls/hostrejectrcpt
hostlist host_reject_rcpt = net-lsearch;HOSTREJECTRCPT1

BLOCKENVSEND1=/etc/exim/acls/denyenvsenders
addresslist denyenvsenders = lsearch;BLOCKENVSEND1

DOMAIN_WHITELIST=/etc/exim/acls/destwhitelist
domainlist whitelisted_domains = lsearch;DOMAIN_WHITELIST

# How many bad receipients must fail before we drop the connection?
# Leave it at default 3 unless you have a very good reason to change it.
ALLOWEDRCPTFAIL=3
##############################

Third Editable Box
###### Runtime configuration replacement file for Exim 4-24.x ######
###### MAIN CONFIGURATION SETTINGS ######

# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.

check_recipient:

# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.

accept hosts = :

# Accept anything from localhost, and especially mailman which
# chokes badly if you refuse its mail

accept hosts = 127.0.0.1/8

# Deny if the local part contains . or @ or % or / or | or !. These are rarely
# found in genuine local parts, but are often tried by people looking to
# circumvent relaying restrictions.
#
# Also deny if the local part starts with a dot. Empty components aren't
# strictly legal in RFC 2822, but Exim allows them because this is common.
# However, actually starting with a dot may cause trouble if the local part
# is used as a file name (e.g. for a mailing list).

deny local_parts = ^.*[@%!/|] : ^\\.

# Blacklist of hosts
deny hosts = +host_reject_rcpt
message = Host $sender_host_address is blocked: ${lookup{$sender_host_address}lsearch{HOSTREJECTRCPT1}{$value}{"unspecified reason"}}

# Blacklist of envelope senders
deny senders = +denyenvsenders
message = Sender $sender_address is blocked: ${lookup{$sender_address}lsearch{BLOCKENVSEND1}{$value}{"unspecified reason"}}

# Accept mail to POSTMASTER in any local domain, regardless of the source.
# Uncomment the next two lines if you want to to allow people to send e-mail
# to postermaster@anydomain.com. SPAMMER are getting real smart. I recommend
# that you don't but if you wish, uncomment the next two lines.

#accept local_parts = postmaster
# domains = +local_domains

### Now that we have all the overrides, we can start the deny rules #######

deny message = "HELO/EHLO required by SMTP RFC"
condition = ${if eq{$sender_helo_name}{}{yes}{no}}

deny message = Only one receipient accepted for NULL sender
senders = :
condition = ${if >{$rcpt_count}{1} {1}}

drop log_message = Dictionnary attack ($rcpt_fail_count failed probes). Dropping connection
message = unknown user ($rcpt_fail_count failed queries)
condition = ${if >{$rcpt_fail_count}{${eval:ALLOWEDRCPTFAIL-2}} {1}{0}}

# We close the connection after a few failures, but we still
# delay the sender because people who do dictionnary attacks can
# reconnect and try again, so let's slow them down
delay = ${eval:30*$rcpt_fail_count}s
domains = +local_domains
!verify = recipient

############################################################################
# The following is a list of RBL's I use to check for spam. Depending on the
# server, we may be using all of them or just a few. We are using zombie.dnsbl.sorbs.net
# and sbl-xbl.spamhaus.org on all our servers. If you decide to comment out of any of RBLS
# below, be sure to leave the very first RBL active.
#
#
deny message = X-RBL-Warning: $sender_host_address is in a blacklist at $dnslist_domain. http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?js&IP=$sender_host_address
log_message = found in $dnslist_domain
dnslists = zombie.dnsbl.sorbs.net

deny message = X-RBL-Warning: $sender_host_address is in a blacklist at $dnslist_domain. http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?js&IP=$sender_host_address
log_message = found in $dnslist_domain
dnslists = spam.dnsbl.sorbs.net
!domains = +whitelisted_domains

deny message = X-RBL-Warning: $sender_host_address is in a blacklist at $dnslist_domain. http://www.ordb.org/lookup/?host=$sender_host_address
log_message = found in $dnslist_domain
dnslists = relays.ordb.org
!domains = +whitelisted_domains

deny message = X-RBL-Warning: $sender_host_address is in a blacklist at $dnslist_domain. http://www.ordb.org/lookup/?host=$sender_host_address
log_message = found in $dnslist_domain
dnslists = sbl-xbl.spamhaus.org
!domains = +whitelisted_domains

# For Spamcop, we are sending a warning and not denying the msgs unless is fails lower down.

warn message = X-DUL-Warning: $sender_host_address is in the SpamCop blacklist. http://www.spamcop.net/w3m?action=checkblock&ip=$sender_host_address
log_message = found in $dnslist_domain
!authenticated = *
dnslists = bl.spamcop.net
!domains = +whitelisted_domains

############################################################################

# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}


# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

require verify = sender

# Accept if the address is in a local domain, but only if the recipient can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).

# This section fixes the annoying problem of spammers sending mail to users and domains that don't exist on the box.
# Why can't Cpanel learn that this fixes their issues. In order for this to happen successful, users who want to use
# :FAIL: should enter, :fail: no such address here! in their default control panel setting for undeliverable mail. To
# find this section, log into the contral panel for x or x2, click on Mail setting, Default Address, Set Default
# address and in the space provided enter, :fail: no such address here!

accept domains = +local_domains
endpass
message = unknown user
verify = recipient

# Accept if the address is in a domain for which we are relaying, but again,
# only if the recipient can be verified.

accept domains = +relay_domains
endpass
message = unrouteable address
verify = recipient/callout=30s/callout_defer_ok

accept hosts = +relay_hosts
accept condition = ${perl{checkrelayhost}{$sender_host_address}}

accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *

deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
accept
################################


Please let me know if there is anything wrong with it. As soon as I save it, it doesn't give any errors. I want to block the spammer at the Exim level to reduce the consumption of server resources.