The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dictionary SPAM Attack !!! Please help. All my tweaks failed

Discussion in 'General Discussion' started by checked, Aug 10, 2004.

  1. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    On one of our server Redhat 9.0 having a weired problem.Thousand of mails are coming on the server for a domain and for different email ids under that domain whereas no such email id exists on the server or under that domain.

    I did a search and found that these types of attacks are called Dictionnary Attack and also found a remedy of this at the following path :

    http://linux.cvf.net/cp_eximrules.html

    I did the same as told at the above path but still not working and loads of emails are still coming to the sevrers and going to the domain's main mail account (login@domain.com) (because that domain doesn't contains any such email for which the mails are coming here)

    Actually these mails are return mails which failed to reach at there recipients and are coming back to our server because the reply address is set to my client's one which is actually not exists on the server.

    So, I need a way to fix this problem by stopping mails whos recipients doesn't exist on the server. I did the above tweak but No Luck :(
     
  2. areha

    areha Well-Known Member

    Joined:
    Oct 30, 2002
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    I am also victim of that, and recieves about 150.000 emails per day (normaly it has been 100-200 per day). However, the only suggestion I have got from cpanel staff is to make the catchall account set to :blackhole:, so that it is deleted. However, this takes a lot! of bandwith, but I do not see how this can be avoided. The emails are going directly to :blackholde:, but then the email is already sent.

    I also tried the suggestion on that page, without any success. Now I have given up, and just pay for the traffic and hope it stops.
     
  3. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    anyone else having any luck with it ? :(
     
  4. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    You have to do the above tweak AND set the default account to :fail:
    Then it will work.
     
  5. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    But How do I set the default account to :fail: ???
     
  6. lostinspace

    lostinspace Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    122
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Colorado Springs, CO
    It's on a per domain basis in the cpanel. Under MAIL MANAGEMENT.

    And actually, even though your queue will fill up with timed out messages, I would select BLACKHOLE as opposed to fail. If you tell a spammer there is NO ADDRESS then they can start narrowing the search down.
     
  7. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Well I don't know where to do all these changes. So, could you please tell me where should I go under SSH Or WHM to do such changes :confused:

    If you tell me then I would be greatful to you.
     
  8. lostinspace

    lostinspace Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    122
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Colorado Springs, CO
    go to the cpanel for the domain that is under attack:

    domain.com/cpanel

    Then go under E-MAIL>DEFAULT ADDRESS

    select the root domain (i.e. domain.com not sub.domain.com) and add :BLACKHOLE: for the delivery address.
     
  9. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Thank you guys I did the same what you told and it seems fixed. Now the mail queue is not populating and not even the client is getting the junk mails.

    EXIM is consuming most of the server resources now :confused:

    But I am wondering that

    Where all the mails are going now ?
    Will this Blackhole route going to increase the load of the server ? (I think yes)
    Is there any other alternate OR global way to stop Directory Attacks to hit the server, as told above in my first post (which is not working) ?

    My Exim version is : exim-4.34-60_cpanel_stmpcontrol_antivirus_rewrite_mailman2_mailtrap_exiscan
     
    #9 checked, Aug 10, 2004
    Last edited: Aug 10, 2004
  10. lostinspace

    lostinspace Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    122
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Colorado Springs, CO
    The e-mails are simply not responded to. The sender will not know whether you received the messages or not.

    You can find tons of posts on here about solutions to SPAM. I would say tap some of those resources and see what you come up with.
     
  11. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Actually someone is not sending Spam at our server. Spammer is sending mails to other email ids and setting the reply email id for my client's domain like : junk@myclientdomain.com so, in this way wheneven a mail fails to reach it's recipients it bounce back to our server assuming that we are sending the junk mails which is not true. And we are getting thousands of mails every hour.

    I did a search and found that this type of Spam is called Directory Attack and followed what other wise men says at here and rackshack :

    http://linux.cvf.net/cp_eximrules.html

    But it is not working even eximis not giving any errors and restarted sucessfully. I also restarted it via SSH to make sure that it is running fine and it is but not able to block the mails whose recipients doesn't exist on the server. I don't know how it is working for others if it is not working for me ?
     
    #11 checked, Aug 10, 2004
    Last edited: Aug 10, 2004
  12. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    Create a file called .forward and add

    /dev/null

    Then FTP it to the default username shell

    /home/username

    All email for anything@ with then be bypassed
     
  13. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    I prevent this using RBL. Around 40-60% of all incoming email were blocked and help lower the server load (a lots) especially server that run mailscanner, spamassasin, and etc.
     
  14. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    The best solution is:

    Instead of simply:

    accept domains = +local_domains

    use:

    accept domains = +local_domains
    endpass
    message = Invalid recipient account
    verify = recipient

    In the cpanel exim editor.

    Set the default email address to ":fail: no such account"
    Set up forwards to the main email account (ie. info@domain.com to user@servername.com).
    They still pickup mail at their main account, without having to setup and collect using extra pop boxes.

    What this does is block at SMTP - this is the most efficient way of blocking unwanted emails.
     
  15. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    This is what exactly I'm doing but I am wondering that it is not working at all.

    I know if I set the user's main to :blackhole: then it will stop all these spam at this point but If I do so then I would not be able to stop it at the entry point where it should be denied immediately.

    Okay here is a part of my Exim Config according to what it is editable under the WHM :

    First Editable Box
    ##############################
    HOSTREJECTRCPT1=/etc/exim/acls/hostrejectrcpt
    hostlist host_reject_rcpt = net-lsearch;HOSTREJECTRCPT1

    BLOCKENVSEND1=/etc/exim/acls/denyenvsenders
    addresslist denyenvsenders = lsearch;BLOCKENVSEND1

    DOMAIN_WHITELIST=/etc/exim/acls/destwhitelist
    domainlist whitelisted_domains = lsearch;DOMAIN_WHITELIST

    # How many bad receipients must fail before we drop the connection?
    # Leave it at default 3 unless you have a very good reason to change it.
    ALLOWEDRCPTFAIL=3
    ##############################

    Third Editable Box
    ###### Runtime configuration replacement file for Exim 4-24.x ######
    ###### MAIN CONFIGURATION SETTINGS ######

    # This access control list is used for every RCPT command in an incoming
    # SMTP message. The tests are run in order until the address is either
    # accepted or denied.

    check_recipient:

    # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
    # testing for an empty sending host field.

    accept hosts = :

    # Accept anything from localhost, and especially mailman which
    # chokes badly if you refuse its mail

    accept hosts = 127.0.0.1/8

    # Deny if the local part contains . or @ or % or / or | or !. These are rarely
    # found in genuine local parts, but are often tried by people looking to
    # circumvent relaying restrictions.
    #
    # Also deny if the local part starts with a dot. Empty components aren't
    # strictly legal in RFC 2822, but Exim allows them because this is common.
    # However, actually starting with a dot may cause trouble if the local part
    # is used as a file name (e.g. for a mailing list).

    deny local_parts = ^.*[@%!/|] : ^\\.

    # Blacklist of hosts
    deny hosts = +host_reject_rcpt
    message = Host $sender_host_address is blocked: ${lookup{$sender_host_address}lsearch{HOSTREJECTRCPT1}{$value}{"unspecified reason"}}

    # Blacklist of envelope senders
    deny senders = +denyenvsenders
    message = Sender $sender_address is blocked: ${lookup{$sender_address}lsearch{BLOCKENVSEND1}{$value}{"unspecified reason"}}

    # Accept mail to POSTMASTER in any local domain, regardless of the source.
    # Uncomment the next two lines if you want to to allow people to send e-mail
    # to postermaster@anydomain.com. SPAMMER are getting real smart. I recommend
    # that you don't but if you wish, uncomment the next two lines.

    #accept local_parts = postmaster
    # domains = +local_domains

    ### Now that we have all the overrides, we can start the deny rules #######

    deny message = "HELO/EHLO required by SMTP RFC"
    condition = ${if eq{$sender_helo_name}{}{yes}{no}}

    deny message = Only one receipient accepted for NULL sender
    senders = :
    condition = ${if >{$rcpt_count}{1} {1}}

    drop log_message = Dictionnary attack ($rcpt_fail_count failed probes). Dropping connection
    message = unknown user ($rcpt_fail_count failed queries)
    condition = ${if >{$rcpt_fail_count}{${eval:ALLOWEDRCPTFAIL-2}} {1}{0}}

    # We close the connection after a few failures, but we still
    # delay the sender because people who do dictionnary attacks can
    # reconnect and try again, so let's slow them down
    delay = ${eval:30*$rcpt_fail_count}s
    domains = +local_domains
    !verify = recipient

    ############################################################################
    # The following is a list of RBL's I use to check for spam. Depending on the
    # server, we may be using all of them or just a few. We are using zombie.dnsbl.sorbs.net
    # and sbl-xbl.spamhaus.org on all our servers. If you decide to comment out of any of RBLS
    # below, be sure to leave the very first RBL active.
    #
    #
    deny message = X-RBL-Warning: $sender_host_address is in a blacklist at $dnslist_domain. http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?js&IP=$sender_host_address
    log_message = found in $dnslist_domain
    dnslists = zombie.dnsbl.sorbs.net

    deny message = X-RBL-Warning: $sender_host_address is in a blacklist at $dnslist_domain. http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?js&IP=$sender_host_address
    log_message = found in $dnslist_domain
    dnslists = spam.dnsbl.sorbs.net
    !domains = +whitelisted_domains

    deny message = X-RBL-Warning: $sender_host_address is in a blacklist at $dnslist_domain. http://www.ordb.org/lookup/?host=$sender_host_address
    log_message = found in $dnslist_domain
    dnslists = relays.ordb.org
    !domains = +whitelisted_domains

    deny message = X-RBL-Warning: $sender_host_address is in a blacklist at $dnslist_domain. http://www.ordb.org/lookup/?host=$sender_host_address
    log_message = found in $dnslist_domain
    dnslists = sbl-xbl.spamhaus.org
    !domains = +whitelisted_domains

    # For Spamcop, we are sending a warning and not denying the msgs unless is fails lower down.

    warn message = X-DUL-Warning: $sender_host_address is in the SpamCop blacklist. http://www.spamcop.net/w3m?action=checkblock&ip=$sender_host_address
    log_message = found in $dnslist_domain
    !authenticated = *
    dnslists = bl.spamcop.net
    !domains = +whitelisted_domains

    ############################################################################

    # Accept bounces to lists even if callbacks or other checks would fail
    warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
    condition = \
    ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
    {yes}{no}}

    accept condition = \
    ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
    {yes}{no}}


    # Accept bounces to lists even if callbacks or other checks would fail
    warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
    condition = \
    ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
    {yes}{no}}

    accept condition = \
    ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
    {yes}{no}}

    require verify = sender

    # Accept if the address is in a local domain, but only if the recipient can
    # be verified. Otherwise deny. The "endpass" line is the border between
    # passing on to the next ACL statement (if tests above it fail) or denying
    # access (if tests below it fail).

    # This section fixes the annoying problem of spammers sending mail to users and domains that don't exist on the box.
    # Why can't Cpanel learn that this fixes their issues. In order for this to happen successful, users who want to use
    # :FAIL: should enter, :fail: no such address here! in their default control panel setting for undeliverable mail. To
    # find this section, log into the contral panel for x or x2, click on Mail setting, Default Address, Set Default
    # address and in the space provided enter, :fail: no such address here!

    accept domains = +local_domains
    endpass
    message = unknown user
    verify = recipient

    # Accept if the address is in a domain for which we are relaying, but again,
    # only if the recipient can be verified.

    accept domains = +relay_domains
    endpass
    message = unrouteable address
    verify = recipient/callout=30s/callout_defer_ok

    accept hosts = +relay_hosts
    accept condition = ${perl{checkrelayhost}{$sender_host_address}}

    accept hosts = +auth_relay_hosts
    endpass
    message = $sender_fullhost is currently not permitted to \
    relay through this server. Perhaps you \
    have not logged into the pop/imap server in the \
    last 30 minutes or do not have SMTP Authentication turned on in your email client.
    authenticated = *

    deny message = $sender_fullhost is currently not permitted to \
    relay through this server. Perhaps you \
    have not logged into the pop/imap server in the \
    last 30 minutes or do not have SMTP Authentication turned on in your email client.


    #!!# ACL that is used after the DATA command
    check_message:
    require verify = header_sender
    accept
    ################################


    Please let me know if there is anything wrong with it. As soon as I save it, it doesn't give any errors. I want to block the spammer at the Exim level to reduce the consumption of server resources.
     
    #15 checked, Aug 11, 2004
    Last edited: Aug 11, 2004
  16. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    If you use :blackhole: then exim accepts the email, processes it through all your RBL's and other assorted rules you have - then deletes it.
     
  17. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The Dictionary Attack ACL you mentioned will only be effective if you have your Default Addresses set to :fail: and you have the recipient check (which you should since it's been in the cPanel default configuration for months now). Using it should definitely not increase server load, quite the contrary, since mail will be stopped at the RCPT.

    However, there is a major flaw in that ACL and the like, since most put in a delay which on a badly attacked server will cause an effective DOS on exim because you'll soon use all your child processes up with waiting exim processes. If you remove this line, that will be prevented:
    delay = ${eval:30*$rcpt_fail_count}s

    The disadvantage of removing the line, is that the attacker will often reconnect and try again straight away. My experience has shown that many do, but enough don't to make a significant difference.

    I'm actually working on a far better ACL which stores dictionary attack IPs and allows you to either block them at the MTA or iptables firewall. I'll post a link in the Addons forum when it's ready.
     
  18. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Well I'm interested in seeing that, for me blocking at MTA is enough, I don't like blocking completely (ie. all services via firewall).
     
  19. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Thank You guys for helping me and getting me out of this trouble. :)

    And also thankx chirpy for clearing my doubts :)
     
  20. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    Chirpy, take a look at this ACL by Alan J. Flavell:

    http://article.gmane.org/gmane.mail.exim.user/19366

    The only problem is that it also blocks legitimate users who:
    a) don't authenticate, and
    b) forget to do pop before smtp auth
    before sending an email to multiple recipients, so a fix for that should be found (I haven't put a lot of thought into it, but I guess it should be easy).
     
Loading...

Share This Page