The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dictionary Attack

Discussion in 'General Discussion' started by noimad1, Feb 19, 2007.

  1. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    I believe one of my servers is being attacked through one of my customers e-mail. Someone is basically sending e-mails to random accounts at his domain from random e-mail accounts from somewhere else. Each of their messages is coming from a unique e-mail address and a unique IP address.


    Now, we have some MailScanner installed and their dictionary ACL installed. So we are blocking tons of IP addresses, but they keep coming at us with new ones. We also have his default acocunt set to "fail:", however, they are hitting the server so hard that it doesn’t seem to be making any difference. They are basically taking this server offline with so many connections.

    I tried suspending his account, but that doesn't seem to make a difference either.

    Here is a quick snapshot of my exim_mainlog. I am seeing basically blocks like this every second:


    I don't know what to do next, and I was wondering if anyone had any suggestions?
     
  2. tripper

    tripper Member

    Joined:
    Feb 11, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    N.W. Iowa
  3. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    I'm sorry, I should have been more clear. It is Chirpy's Mailscanner and eximdeny ACL that I have installed. It doesn't seem to be helping?
     
  4. SonServers

    SonServers Well-Known Member

    Joined:
    Oct 24, 2001
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    You wrote that you have the default set to "fail:". It should be ":fail:" with both colons, but maybe you just mis-typed it in the post.

    I had the same thing happen that Mailscanner was causing high loads because a spammer was using a domain on my server in the from address which caused the bounces to come back to his domain. Changing the user's default to :fail: stopped the mailscanner load immediately.
     
  5. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    So according to the dictionary documentation:

    If the sender server tries four email addresses that don't exist on your server the ACL disconnects the session with the sender server (DROP) and puts the IP address of the sender server into /etc/exim_deny
    If the sender server connects again, the ACL first checks /etc/exim_deny and if it finds the senders IP address there the session is immediately disconnected

    Why then is my /etc/exim_deny file not being written too? (the mainlog does show numerous dictionary attacks as well
     
  6. tripper

    tripper Member

    Joined:
    Feb 11, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    N.W. Iowa
    If your using the setup from Chirpy's website, make sure the follow files have the correct settings:
    Code:
    -rw-r--r--  1 mailnull mail  637 Feb 19 14:28 exim_deny
    -rwx------  1 mailnull mail 3156 Jan 25 10:21 exim_deny.pl*
    -rw-------  1 mailnull mail  142 Feb 19 14:16 exim_deny_whitelist
    
    this is our setup, and it seems to work quiet well over the past few months.

    Mickalo
     
  7. sierrablue

    sierrablue Member

    Joined:
    Aug 30, 2005
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Since every email comes from different IP (basically DDOS) there isn't much you can do except temporarily delete mx record for that domain.
     
  8. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    There is one simple trick that you can do, and I forget what it's called. Most inbound spammers will not try a second MX address if the primary fails. To exploit this:

    Make your primary MX point to an IP address that doesn't respond to SMTP connections. That is,

    domain.com. IN MX 0 nonexistent.domain.com.
    domain.com. IN MX 10 mail.domain.com.

    nonexistent IN A 100.100.100.100

    You should of course change the "100.100.100.100" to an IP address that you know will not respond to SMTP connections.

    The effect of this is to stop most attacks dead in the water.
     
  9. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16

    Hmm...that is an interesting theroy. However, could this cause problems with actual mail getting delivered?

    For now, I have just removed his mx record, and that at least got me back up and running. However, I might take a look at this solution if it isn't going to interfere with legitimate mail.....


    Also, thanks for everyone elses replies. I did confirm that we are using ":fail:" just a typo on my part when posting to the forum. I also checked the other files and they all seem to be working with correct permissions. Chirpy's script I believe is doing it's job, because there are literally thousands of IP's being put in the exim_deny file. They just kept coming back with new IP's.
     
  10. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
  11. mike25

    mike25 Well-Known Member

    Joined:
    Aug 29, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Raleigh NC, USA
    that is an intresting solution, thanks. I have had this issue over the past several months on a few servers as well.
     
  12. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Just so you know, that secondary mx trick did not work for me. It worked for like a day....

    This guys account has been attacked for at least a week straight....i can't believe it can go on for this long without the persons server who is doing the attack finding out about it....it has to be causing load on his end too....
     
  13. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Does that mean all this attacking is coming from one server? If so, surely you could just block it in a firewall - problem solved!
     
  14. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    I wish it were that easy. I am thinking there is a script out there on one server that is kicking of the attacks from a million proxy servers. That's the way I'm thinking it is working, but mabye i'm wrong.

    And there is no way to find out where the actual IP is coming from because of the proxies....?
     
Loading...

Share This Page