distributed smtpauth attack

ccccanada

Well-Known Member
Jan 17, 2003
279
0
166
Hello

For the past week one of my servers has been suffering from distributed smtpauth attacks at an incredible rate.

I have CSF blocking the attacks but since its been going on for a week solid i was hoping someone here would have a way of helpimg me stop or at least limit these attacks.

I have increased the banned IP's in CSF from 100 to 200 and it seemed to have stopped the attacks for almost a day although server load was higher than usual.

Now the attacks are back at a rate never seen before and IP's are getting unblocked just as fast as they get blocked so anyone attacking with 200 ips or more can just rotate the attacks through.

When i increase the banned IPs to 400 server load just gets too high it seems.

Does anyone have any ideas?

I have pasted one of the emails CSF sends when blocking below in the hopes someone may see a simple solution looking at this.


Thank you!
Harold


Code:
Time:     Tue Feb 11 16:31:53 2014 -0500
IP:       distributed smtpauth attack on account [[email protected]]
Failures: 5
Interval: 300 seconds
Blocked:  Permanent Block

Log entries:

2014-02-11 16:27:22 courier_plain authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3672: 535 Incorrect authentication data ([email protected])
2014-02-11 16:27:06 courier_plain authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3518: 535 Incorrect authentication data ([email protected])
2014-02-11 16:27:07 courier_login authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3518: 535 Incorrect authentication data ([email protected])
2014-02-11 16:31:48 courier_plain authenticator failed for (WIN712340928SRZ) [178.16.3.131]:58024: 535 Incorrect authentication data ([email protected])
2014-02-11 16:27:22 courier_login authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3672: 535 Incorrect authentication data ([email protected])

IP Addresses Blocked:

190.101.76.131 (CL/Chile/pc-131-76-101-190.cm.vtr.net)
178.16.3.131 (IM/Isle of Man/adsl178.16.3.131.manx.net)
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

Yes, you can find discussion of this issue on the thread referenced in the previous post. In addition, if the attack is consistent you may need to consult with your data center or hosting provider about implementing additional firewall solutions outside of the server.

Thank you.