The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Any way to block Romaina from logging into Exim?

Discussion in 'E-mail Discussions' started by jols, Aug 26, 2012.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Hi,

    Short of putting "RO" in CC_Deny, (in csf), is there any way to prevent anyone from Romania from logging into any email account we host?

    The problem with us is that our hosted members who use Window's PCs occasionally get keyloggers on their machines, then their email account passwords are stolen and spam is sent though the hosted email account. We've increased our monitoring, etc. but it would really help if we could just block certain countries from logging into Exim, (using AUTHRELAY), to send email from ANY email account we host. AE, BO, RO, KE, EC, and VE would all go on our "block from logging into exim" list if there were anyway to do this.

    Thanks much.
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I'd say it's a lot bigger issue that these Windows users are getting keyloggers on their systems. If they are, it isn't just spam, but account access and possibly stealing their identity that's going to be an issue.

    Couldn't you send out an email to your clients to indicate the issues people are having on Windows and encourage all to run a full scan and how to implement proper Windows security?

    As for preventing Romania from logging into exim, you really should just block them in CSF. Again, if there are keyloggers happening on these user systems, these users also are having the cPanel access credentials stolen. If you don't service Romania, you can just block it in CSF.
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Yes, we do send out security advice against keyloggers daily. But unless we starting blocking entire countries using the CC_Deny feature in CSF, RO in this case, it's still like playing Wack-O-mole around here, in this regard. So I would just prefer to stop all RO IPs from logging into SMTP.
     
  4. azurecoast

    azurecoast Member

    Joined:
    Jul 25, 2012
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    It seems to be a bigger security issue than blacklisting a IP. I mean if you are getting a never ending situation where passwords are stolen, and you do not control those remote systems, you should consider some new types of policies. For example two-factor authentication, rotation of passwords, and for sure throttling the SMTP. I am not sure on Windows, but on OSX systems you can use software like Little Snitch.
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You've already noted you are playing whack-a-mole with these policies anyway. If you block Romania from logging into email, it doesn't prevent another country. I don't even understand why you wouldn't use CSF, since if you aren't servicing Romania, why not block it from FTP, email, and such? Shouldn't you want to block them from that?
     
  6. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Because we are already blocking RU,NG and CN. IPTables can only handle so many thousands of blocked IPs before it starts to go a little whacky itself.
     
  7. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Old post, but still looking for a solution here, in this regard, to block certain countries just from logging into smtp/AUTHRELAY. There is just a short list I would want to block, which would cut down this issue dramatically, and no, using CC_Deny would be out of the question simply because we can't dump tens of thousands of IPs into the firewall.

    So I am thinking, there has just got to be some kind of a rule we could set in exim, to do something like this:

    SMTP connection ---> Check inbound IP against CC blacklist ----> Then allow AUTHRELAY, or not based on any potential CC blacklist matches or the lack thereof.
     
  8. nuskope

    nuskope Member

    Joined:
    Sep 26, 2011
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    We are looking for the same thing here.
    So many people getting done by keyloggers and our mail server is blocked daily now.

    I want to disable any SNTP connections outside of our /20 IP range. so only people on our network can send email.
     
  9. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    We were never able to find a good way to do this. Instead, we had to use a specially written script to watch email logins and then send alerts when certain parameters were exceeded. But if you use CSF you could simply put "RO" in the cc_deny field, and that would likely take care of a lot of it, at least where Romania is concerned.

    In general in terms of email security, we have found something new in this regard. I would invite you to follow the thread below for any possible resolutions which may also help you as well:

    http://forums.cpanel.net/f185/spam-sent-via-non-existant-email-addresses-331231.html
     
  10. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    What do you mean by "people on our network"?
     
Loading...

Share This Page