The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Attacker taking all email services down at will?

Discussion in 'Security' started by jols, Jan 20, 2011.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Hello,

    I know this has been discussed but I've yet to see a concrete solution for it. Here's the scenario:

    1 -- We receive complaints that email services are down.

    2 -- I look in /var/log/exim_mainlog and I see a million of these entries:

    2011-01-20 20:32:55 SMTP call from (uscmnal.com) [203.239.194.165] dropped: too many nonmail commands (last was "AUTH")
    2011-01-20 20:32:56 SMTP call from (gjxhngh.com) [203.239.194.165] dropped: too many nonmail commands (last was "AUTH")
    2011-01-20 20:33:04 SMTP call from (tqnkjl.com) [203.239.194.165] dropped: too many nonmail commands (last was "AUTH")
    2011-01-20 20:33:04 SMTP call from (qqjydb.com) [203.239.194.165] dropped: too many nonmail commands (last was "AUTH")
    2011-01-20 20:33:50 SMTP call from (vauvea.com) [203.239.194.165] dropped: too many nonmail commands (last was "AUTH")
    2011-01-20 20:33:50 SMTP call from (qulnss.com) [203.239.194.165] dropped: too many nonmail commands (last was "AUTH")


    3 -- I put the offending IP address in the firewall, in this case 203.239.194.165

    4 -- I restart exim and then we are back up.

    5 -- I check to make sure that the following is in the exim configs, which is supposed to mitigate this attack:
    log_selector = -rejected_header
    (Which it is.)


    So what's the solution here? Anyone?

    Thanks!
     
Loading...
Similar Threads - Attacker taking email
  1. seco
    Replies:
    6
    Views:
    361

Share This Page