Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Attack on Exim SMTP 25

Discussion in 'E-mail Discussion' started by embsupafly, Mar 14, 2006.

  1. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    156
    We have a server being attacked in the form of a botnet/DDOS.

    We have installed http://www.configserver.com/free/eximdeny.html this before, which is a great dictionary attack detection script, and the server is stopping the spam attempts but its killing SMTP and giving us messages that there are too many connections to SMTP. exim_main log is going crazy, what can we do?
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    166
    If you haven't done so, set all default addresses to :fail: - this may make a difference.

    I also find that the HELO tests listed on the RVSkin antispam page help stop a fair amount of home-user botnet spam as such messages often forge the HELO/EHLO header to try and look as if they're coming from a legitimate domain.

    http://www.rvskin.com/index.php?page=public/antispam#4
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    156
    Thanks for the reply, we already do have everything to :fail: vs. blackhole. We will check into the other HELO option you suggested.
     
  4. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    156
    We implemented the HELO check, still not helping. We noticed that the ACL rules for it use "delay", isn't that a bad thing to do in this situation?
     
  5. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    Block the attackers IP at your servers firewall
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    156
    There are thousands of them.
     
  7. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    156
    Would installing mod_security for Apache help with this form of attack?
     
  8. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    156
    Or,

    Since we are actually blocking the spam with a Chirpy's exim dictionary attack detection, and using :fail: and using rbl's in exim to block the spam, is there a ways that when the mail is marked as being blocked by the rbl's in exim_mainlog, can we get these ips into our APF/BFD blacklist? That way we are blocking this attack at the firewall vs at exim?
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    There's a script kicking around that I wrote to put the IP's in /etc/exim_deny into APF:
    http://forums.cpanel.net/showpost.php?p=174803&postcount=47

    Also, for the SMTP connection issue. Do make sure that you are not using any delay commands in the ACL section of the exim configuration editor - they're a very bad idea.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice