The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Attack on Exim SMTP 25

Discussion in 'E-mail Discussions' started by embsupafly, Mar 14, 2006.

  1. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    We have a server being attacked in the form of a botnet/DDOS.

    We have installed http://www.configserver.com/free/eximdeny.html this before, which is a great dictionary attack detection script, and the server is stopping the spam attempts but its killing SMTP and giving us messages that there are too many connections to SMTP. exim_main log is going crazy, what can we do?
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    If you haven't done so, set all default addresses to :fail: - this may make a difference.

    I also find that the HELO tests listed on the RVSkin antispam page help stop a fair amount of home-user botnet spam as such messages often forge the HELO/EHLO header to try and look as if they're coming from a legitimate domain.

    http://www.rvskin.com/index.php?page=public/antispam#4
     
  3. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the reply, we already do have everything to :fail: vs. blackhole. We will check into the other HELO option you suggested.
     
  4. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    We implemented the HELO check, still not helping. We noticed that the ACL rules for it use "delay", isn't that a bad thing to do in this situation?
     
  5. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Block the attackers IP at your servers firewall
     
  6. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    There are thousands of them.
     
  7. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Would installing mod_security for Apache help with this form of attack?
     
  8. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Or,

    Since we are actually blocking the spam with a Chirpy's exim dictionary attack detection, and using :fail: and using rbl's in exim to block the spam, is there a ways that when the mail is marked as being blocked by the rbl's in exim_mainlog, can we get these ips into our APF/BFD blacklist? That way we are blocking this attack at the firewall vs at exim?
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    There's a script kicking around that I wrote to put the IP's in /etc/exim_deny into APF:
    http://forums.cpanel.net/showpost.php?p=174803&postcount=47

    Also, for the SMTP connection issue. Do make sure that you are not using any delay commands in the ACL section of the exim configuration editor - they're a very bad idea.
     
Loading...

Share This Page