ddos attack on smtp?

[upsforum]

I have from some days thousand attempts from differents ip addresses that fail on smtp (exim), only solution is to wait for it to stop?

2014-01-21 22:07:46 H=dhcp46-187-131-87.eaw.com.pl [46.187.131.87]:1775 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:46 H=([190.253.123.218]) [190.253.123.218]:3297 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:47 H=([186.114.32.164]) [186.114.32.164]:22759 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:47 H=93-62-240-137.ip24.fastwebnet.it [93.62.240.137]:47772 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:47 H=cpc2-nmal20-2-0-cust907.19-2.cable.virginm.net [92.239.187.140]:54662 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:50 H=(116-78-190-190.cab.prima.net.ar) [190.190.78.116]:3204 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:50 H=([190.40.81.206]) [190.40.81.206]:41976 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:51 H=181-162-34-204.baf.movistar.cl [181.162.34.204]:4878 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:55 H=(dbe2638e0.dslam-172-17-192-245-256-347-may-04.dsl.cantv.net) [190.38.56.224]:49904 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:57 H=([190.233.227.100]) [190.233.227.100]:10368 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:57 H=(182-12-166-181.fibertel.com.ar) [181.166.12.182]:2518 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:08:01 H=dslb-178-008-040-094.pools.arcor-ip.net [178.8.40.94]:2175 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:08:03 H=(host-176-221-120-189.dynamic.mm.pl) [176.221.120.213]:9189 F=<sxqwykcgw5[email protected]> rejected RCPT <[email protected]>:

 

[Eric]

Howdy,

Looking at just this little bit I see a few things you could do. Messages you accept you have todo a lot with aka spamassassin/clamav, queue, bounce, and clean if none of this gets back to a sane person.

!!!WARNING!!! !!!WARNING!!! !!!WARNING!!! !!!WARNING!!!
Blocking mail at helo/ehlo will not leave a copy on the server. If you are forced to keep emails for compliance you may not be able to use this.
!!!WARNING!!! !!!WARNING!!! !!!WARNING!!! !!!WARNING!!!

1. You say helo I say 500 er goodbye

So the easiest way is to get strict on who you let get beyond helo/ehlo on your server. Cozy up to WHM and enter the Exim Configuration Manager. Under ACL Options you can select these as you see fit:

Require HELO before MAIL [?]

Require remote (hostname/IP address) HELO [?]

Require remote (domain) HELO [?]

Require RFC-compliant HELO [?]

2. You're on my list, and not the good list.

I like all but "Require remote (domain)" on my server and your mileage may vary. But RFC-Compliant HELO + Require a hostname is a good way to block most spam bots. It works like checking caller ID. The mail comes in to Exim, exim asks who it is, and if doesn't like it it "errors" to end the connection. A lot like sending a phone call to voicemail that you don't want to answer.

If you've rejected some messages there you might move on to adding RBL support. RBL support is a bit of a mixed back. I've had good luck with it on my own personal server but I know of some folks it won't work with their customers. If you can get away with it zen/spamcop can really help stop messages at the SMTP layer before you start getting data. This is very lightweight for Exim to drop (again like sending a phone call to voicemail).

3. I would not do such things if I were you

Ok I personally hate this option, but it works. So mid-message tranmission, while the server that is sending you mail is saying ehlo there, your server will reach back to the same IP and ask ehlo back. This echo echo goes on to the point of the server saying that there is a user on the other side of the same name. Most mail servers will be happy with it and your message gets through. There are some cases like password resets and web servers sending messages that have no mail server on them. These IP's would need to be whitelisted from this type of check.

Sender Verification [?]

This all goes wrong when your server gets blocked for terminating connections on the other server and then neither side is happy. This is also very hard to troubleshoot without admins on both sides, this is why I hate it.

Another option you can google to enable is greylisting. This hangs up on every SMTP connection the first time. Good mail servers will try back in 5 to 30 seconds depending on their retry settings. This works like an insurance company that denies all claims until someone appeals. Just about all mailservers have at least 1 retry (the RFC says they should try again). The message retries and gets queued with the rest. The customer rarely notices but non-mail servers that spam will get a rejection or two and move on to the next IP in the block.

4. Bonus Round - Don't let your users pollute my inbox (or anyone's for that matter).

Are you allowing your users to send mail via apache? It's likely you are, which is good it lets users automate tasks like lost passwords but let's do a few things to make life easier if a site gets exploited to send spam. Turn these two options on.

Query Apache server status to determine the sender of email sent from processes running as nobody [?]

Trust X-PHP-Script headers to determine the sender of email sent from processes running as nobody [?]

Scan outgoing messages for spam and reject based on SpamAssassin® internal spam_score setting [?]

Scan outgoing messages for malware [?]

If you're running anything that runs as a user for PHP it will mark the headers with the user on your system. This will make it easy to know which user on your system is sending out email if it ever comes up. Also it will prevent someone on the server from spamming someone else on the server. (This rarely happens unless you want to send your brother 50,000 message to get him to leave a meeting early (HI BRO)).

I hope all of this helps. I didn't mean to write a book but it's worth spending some quality time with exim every few months.

Thanks!

 

[jols]

Hi,

Thanks for the article. We are considering switching on the HELO verification as a way to further tighten up security and preventing spam. However, what you have written here comes as a surprise:

"Blocking mail at helo/ehlo will not leave a copy on the server."

Do you mean, that when an email account user checks the feature in their email client, "Leave a copy on the server", or "Leave a copy on the server for 'x' number of days.", this will no longer be functional if we switch on "Require HELO before MAIL"???

Or do you mean simply that email which is blocked because of HELO verification failures will simply not show up anywhere in the user's email account?

If you could clarify this, it would be appreciated.

As a side note - I tried switching on HELO verification some two years ago, but switched it off again when too many legitimate users was no longer able send email, I guess because the ISP's they were using had badly configured systems. But it seems that most legitimate email services use HELO verification now days, so we are getting ready to try it again.

Thanks again.

 

[cPanelMichael]

Or do you mean simply that email which is blocked because of HELO verification failures will simply not show up anywhere in the user's email account?

This. The blocked emails are not stored on the server or available in the queue for review.

Thank you.