The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

distributed smtpauth attack

Discussion in 'E-mail Discussions' started by ccccanada, Feb 11, 2014.

  1. ccccanada

    ccccanada Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    279
    Likes Received:
    0
    Trophy Points:
    16
    Hello

    For the past week one of my servers has been suffering from distributed smtpauth attacks at an incredible rate.

    I have CSF blocking the attacks but since its been going on for a week solid i was hoping someone here would have a way of helpimg me stop or at least limit these attacks.

    I have increased the banned IP's in CSF from 100 to 200 and it seemed to have stopped the attacks for almost a day although server load was higher than usual.

    Now the attacks are back at a rate never seen before and IP's are getting unblocked just as fast as they get blocked so anyone attacking with 200 ips or more can just rotate the attacks through.

    When i increase the banned IPs to 400 server load just gets too high it seems.

    Does anyone have any ideas?

    I have pasted one of the emails CSF sends when blocking below in the hopes someone may see a simple solution looking at this.


    Thank you!
    Harold


    Code:
    Time:     Tue Feb 11 16:31:53 2014 -0500
    IP:       distributed smtpauth attack on account [admin@domain.org]
    Failures: 5
    Interval: 300 seconds
    Blocked:  Permanent Block
    
    Log entries:
    
    2014-02-11 16:27:22 courier_plain authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3672: 535 Incorrect authentication data (set_id=admin@domain.org)
    2014-02-11 16:27:06 courier_plain authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3518: 535 Incorrect authentication data (set_id=admin@domain.org)
    2014-02-11 16:27:07 courier_login authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3518: 535 Incorrect authentication data (set_id=admin@domain.org)
    2014-02-11 16:31:48 courier_plain authenticator failed for (WIN712340928SRZ) [178.16.3.131]:58024: 535 Incorrect authentication data (set_id=admin@domain.org)
    2014-02-11 16:27:22 courier_login authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3672: 535 Incorrect authentication data (set_id=admin@domain.org)
    
    IP Addresses Blocked:
    
    190.101.76.131 (CL/Chile/pc-131-76-101-190.cm.vtr.net)
    178.16.3.131 (IM/Isle of Man/adsl178.16.3.131.manx.net)
     
    #1 ccccanada, Feb 11, 2014
    Last edited by a moderator: Feb 11, 2014
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,724
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, you can find discussion of this issue on the thread referenced in the previous post. In addition, if the attack is consistent you may need to consult with your data center or hosting provider about implementing additional firewall solutions outside of the server.

    Thank you.
     
Loading...
Similar Threads - distributed smtpauth attack
  1. keat63
    Replies:
    5
    Views:
    836

Share This Page