Any way to block Romaina from logging into Exim?

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
Hi,

Short of putting "RO" in CC_Deny, (in csf), is there any way to prevent anyone from Romania from logging into any email account we host?

The problem with us is that our hosted members who use Window's PCs occasionally get keyloggers on their machines, then their email account passwords are stolen and spam is sent though the hosted email account. We've increased our monitoring, etc. but it would really help if we could just block certain countries from logging into Exim, (using AUTHRELAY), to send email from ANY email account we host. AE, BO, RO, KE, EC, and VE would all go on our "block from logging into exim" list if there were anyway to do this.

Thanks much.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
I'd say it's a lot bigger issue that these Windows users are getting keyloggers on their systems. If they are, it isn't just spam, but account access and possibly stealing their identity that's going to be an issue.

Couldn't you send out an email to your clients to indicate the issues people are having on Windows and encourage all to run a full scan and how to implement proper Windows security?

As for preventing Romania from logging into exim, you really should just block them in CSF. Again, if there are keyloggers happening on these user systems, these users also are having the cPanel access credentials stolen. If you don't service Romania, you can just block it in CSF.
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
Yes, we do send out security advice against keyloggers daily. But unless we starting blocking entire countries using the CC_Deny feature in CSF, RO in this case, it's still like playing Wack-O-mole around here, in this regard. So I would just prefer to stop all RO IPs from logging into SMTP.
 

azurecoast

Member
Jul 25, 2012
9
0
1
cPanel Access Level
DataCenter Provider
Yes, we do send out security advice against keyloggers daily. But unless we starting blocking entire countries using the CC_Deny feature in CSF, RO in this case, it's still like playing Wack-O-mole around here, in this regard. So I would just prefer to stop all RO IPs from logging into SMTP.
It seems to be a bigger security issue than blacklisting a IP. I mean if you are getting a never ending situation where passwords are stolen, and you do not control those remote systems, you should consider some new types of policies. For example two-factor authentication, rotation of passwords, and for sure throttling the SMTP. I am not sure on Windows, but on OSX systems you can use software like Little Snitch.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
You've already noted you are playing whack-a-mole with these policies anyway. If you block Romania from logging into email, it doesn't prevent another country. I don't even understand why you wouldn't use CSF, since if you aren't servicing Romania, why not block it from FTP, email, and such? Shouldn't you want to block them from that?
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
Because we are already blocking RU,NG and CN. IPTables can only handle so many thousands of blocked IPs before it starts to go a little whacky itself.
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
Old post, but still looking for a solution here, in this regard, to block certain countries just from logging into smtp/AUTHRELAY. There is just a short list I would want to block, which would cut down this issue dramatically, and no, using CC_Deny would be out of the question simply because we can't dump tens of thousands of IPs into the firewall.

So I am thinking, there has just got to be some kind of a rule we could set in exim, to do something like this:

SMTP connection ---> Check inbound IP against CC blacklist ----> Then allow AUTHRELAY, or not based on any potential CC blacklist matches or the lack thereof.
 

nuskope

Member
Sep 26, 2011
8
0
51
cPanel Access Level
Root Administrator
We are looking for the same thing here.
So many people getting done by keyloggers and our mail server is blocked daily now.

I want to disable any SNTP connections outside of our /20 IP range. so only people on our network can send email.
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
We were never able to find a good way to do this. Instead, we had to use a specially written script to watch email logins and then send alerts when certain parameters were exceeded. But if you use CSF you could simply put "RO" in the cc_deny field, and that would likely take care of a lot of it, at least where Romania is concerned.

In general in terms of email security, we have found something new in this regard. I would invite you to follow the thread below for any possible resolutions which may also help you as well:

http://forums.cpanel.net/f185/spam-sent-via-non-existant-email-addresses-331231.html
 

quietFinn

Well-Known Member
Feb 4, 2006
1,245
102
193
Finland
cPanel Access Level
Root Administrator
I want to disable any SNTP connections outside of our /20 IP range. so only people on our network can send email.
What do you mean by "people on our network"?