The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Being dictionary spammed. Solutions?

Discussion in 'General Discussion' started by nothsa, Feb 19, 2005.

  1. nothsa

    nothsa Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    I have an account on my server that has been getting dictionary spammed over the last few days. I have RBL's in place so most of them don't get through, and the ones that do get through are rejected (no valid RCPT). I've set BFD to block port 25 on the offending IP after 10 failed attempts, but the spammer later switches to another IP and starts again, and gets blocked again, then switches to another IP, etc. etc. I'm guessing he's just using zombie machines.

    Does anyone have a solution for this, or at least something better than what I'm doing now? I don't even know where to start :confused:

    Thanks
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    http://www.configserver.com/free/eximdeny.html

    Rememboer to replace any occurences of :blackhole: or /dev/null in /etc/valiases/* with :fail: and I'd recommend deleting the BFD exim check as it's not such a great idea (as I've mentioned in previous posts).
     
  3. nothsa

    nothsa Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Awesome! Thanks Chripy :)
     
  4. nothsa

    nothsa Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    A quick question regarding this mod, Chirpy:

    Since installing this, it's added 5 IP addresses to my /etc/exim_deny file, however, a search through my exim_rejectlog (greping for "dictionary attack") only turns up 3 IPs and none of those 3 are in the exim_deny file.

    Am I missing something?

    [EDIT]I just saw the addition to your last post, and I've already checked for :blackhole:'s, but it appears that they're all set to :fail: already :)[/EDIT]
     
    #4 nothsa, Feb 19, 2005
    Last edited: Feb 19, 2005
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Try searching your exim_mainlog instead of exim_rejectlog instead.
     
  6. lostinspace

    lostinspace Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    122
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Colorado Springs, CO
    Curious,

    Is there a way to set :fail: globally for existing accounts? I know I can use the tweak settings to do this for new accounts.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
Loading...

Share This Page