The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

distributed attack on the email server today.

Discussion in 'E-mail Discussions' started by jols, May 18, 2011.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    We are seeing hundreds of log entries like this:

    2011-05-18 16:55:36 H=(M6nI9Dhe.com) [95.74.239.102] F=<hhfsoqtinw@1W1YK88.com> rejected RCPT <user@domain.com>: Sender verify failed
    2011-05-18 16:55:44 H=(0j6cYg7.com) [187.90.113.193] F=<rgvioikfg@sF3d8.com> rejected RCPT <user@domain.com>: Sender verify failed
    2011-05-18 16:56:22 H=(FSHXl_K9.com) [187.75.54.229] F=<ghchszhhra@z2tbNkWB.com> rejected RCPT <user@domain.com>: Sender verify failed
    2011-05-18 16:56:48 H=(Z6jI8mgW.com) [89.40.253.34] F=<rtygoxeiy@I83U05.com> rejected RCPT <user@domain.com>: Sender verify failed
    2011-05-18 16:56:55 H=(0H6K1bet.com) [190.194.40.21] F=<fbzhfewbua@5p183.com> rejected RCPT <user@domain.com>: Sender verify failed
    2011-05-18 16:57:01 H=(C3QHVY.com) [190.71.57.242] F=<jwewglpy@xR12s.com> rejected RCPT <user@domain.com>: Sender verify failed
    2011-05-18 16:57:08 H=(0Xyv07jJ.com) [190.49.168.191] F=<esyxyyqip@hAkWzML.com> rejected RCPT <user@domain.com>: Sender verify failed
    2011-05-18 17:00:05 H=(03s0M_Gs.com) [186.112.1.35] F=<dpijquqh@E8go8e.com> rejected RCPT <user@domain.com>: Sender verify failed

    Note: I've exchanged the real targeted address/user with this "user@domain.com".

    And they are not just going after one email address/user here.

    So unlike the other, similar attacks I've seen they are using random, spoofed source IP addresses, thus there is nothing we can block to fend off the attack.

    At times exim goes down if the number of failed accesses is high enough, and then of course our hosted customers start complaining.

    Now, in the past I've understood that this kind of thing can be mitigated by including "log_selector = -rejected_header" in the exim config, which we have done, but this does not seem to help.

    Does anyone have any idea about what we could do as a countermeasure to this?

    Thanks.
     
Loading...

Share This Page