The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Does MailScanner block dictionary attacks?

Discussion in 'E-mail Discussions' started by AbeFroman, Aug 2, 2004.

  1. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Does MailScanner block dictionary attacks?
     
  2. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Not to my knowledge however Chirpy on this forum gave me the following code to add to the Exim ACL directives using the WHM Exim Advanced Configuration.
    After "accept hosts = :" add the following:
    drop message = Appears to be a dictionary attack
    log_message = Dictionary attack (after $rcpt_fail_count failures)
    condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
    !verify = recipient
    delay = ${eval: ($rcpt_fail_count + 1) * 1}m

    HTH
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Thanks for the credit sawbuck :)

    A few things to note about dictionary attacks:

    1. This type of ACL (obviously) won't work if you use the catchall alias. That is, it's set to anything other than :blackhole: or :fail:

    2. It only works on spammers using multiple SMTP RCPT commands - not all do

    I run this on around 6 servers now. On 2 of them it blocks a dictionary attack every few minutes. On the others it blocks them only a few times a day. It does depend on how you use your Default Address, and what sort of friendly spammers you have ;)
     
  4. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    So set the catch all to blackhole or fail and it should work?

    Can you post a copy of your /etc/exim.conf here?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Hi Abe,

    To install it, you should follow sawbucks instructions. I'll repeat them here:

    You need to scroll to the first set of 3 boxes in the Advanced Exim Configuration Editor. In the middle of the 3 boxes you'll already have ACL definitions. You should insert the following after the "accept hosts = :" line
    Code:
    drop    message   = Appears to be a dictionary attack
            log_message = Dictionary attack (after $rcpt_fail_count failures)
            condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
            !verify   = recipient
            delay     = ${eval: ($rcpt_fail_count + 1) * 1}m
    
     
  6. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    This what I have in the 2nd box in the set of 3 boxes:
    # This access control list is used for every RCPT command in an incoming
    # SMTP message. The tests are run in order until the address is either
    # accepted or denied.

    check_recipient:

    # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
    # testing for an empty sending host field.

    accept hosts = :
    drop message = Appears to be a dictionary attack
    log_message = Dictionary attack (after $rcpt_fail_count failures)
    condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
    !verify = recipient
    delay = ${eval: ($rcpt_fail_count + 1) * 1}m

    # Accept anything from localhost, and especially mailman which
    # chokes badly if you refuse its mail

    accept hosts = 127.0.0.1/8

    # Deny if the local part contains . or @ or % or / or | or !. These are rarely
    # found in genuine local parts, but are often tried by people looking to
    # circumvent relaying restrictions.
    #
    # Also deny if the local part starts with a dot. Empty components aren't

    deny local_parts = ^.*[@%!/|] : ^\\.

    # Blacklist of hosts
    deny hosts = +host_reject_rcpt
    message = Host $sender_host_address is blocked: ${lookup{$sender_host_address}lsearch{HOSTREJECTRCPT1}{$value}{"unspecified reason"}}

    # Blacklist of envelope senders
    deny senders = +denyenvsenders
    message = Sender $sender_address is blocked: ${lookup{$sender_address}lsearch{BLOCKENVSEND1}{$value}{"unspecified reason"}}

    # Accept mail to POSTMASTER in any local domain, regardless of the source.
    # Uncomment the next two lines if you want to to allow people to send e-mail
    # to postermaster@anydomain.com. SPAMMER are getting real smart. I recommend
    # that you don't but if you wish, uncomment the next two lines.

    #accept local_parts = postmaster
    # domains = +local_domains

    # Now that we have all the overrides, we can start the deny rules #


    deny message = "HELO/EHLO required by SMTP RFC"
    condition = ${if eq{$sender_helo_name}{}{yes}{no}}

    deny message = Only one receipient accepted for NULL sender
    senders = :
    condition = ${if >{$rcpt_count}{1} {1}}

    drop log_message = Dictionnary attack ($rcpt_fail_count failed probes). Dropping connection
    message = unknown user ($rcpt_fail_count failed queries)
    condition = ${if >{$rcpt_fail_count}{${eval:ALLOWEDRCPTFAIL-2}} {1}{0}}

    # We close the connection after a few failures, but we still
    # delay the sender because people who do dictionnary attacks can
    # reconnect and try again, so let's slow them down
    delay = ${eval:30*$rcpt_fail_count}s
    domains = +local_domains
    !verify = recipient


    # The following is a list of RBL's I use to check for spam. Depending on the
    # server, we may be using all of them or just a few. We are using zombie.dnsbl.sorbs.net

    deny message = X-RBL-Warning: $sender_host_address is in a blacklist at $dnslist_domain. http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?js&IP=$sender_host_address
    log_message = found in $dnslist_domain
    dnslists = zombie.dnsbl.sorbs.net

    # deny message = X-RBL-Warning: $sender_host_address is in a blacklist at $dnslist_domain. http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?js&IP=$sender_host_address
    # log_message = found in $dnslist_domain
    # dnslists = spam.dnsbl.sorbs.net
    # !domains = +whitelisted_domains

    # deny message = X-RBL-Warning: $sender_host_address is in a blacklist at $dnslist_domain. http://www.ordb.org/lookup/?host=$sender_host_address
    # log_message = found in $dnslist_domain
    # dnslists = relays.ordb.org
    # !domains = +whitelisted_domains

    # deny message = X-RBL-Warning: $sender_host_address is in a blacklist at $dnslist_domain. http://www.ordb.org/lookup/?host=$sender_host_address
    # log_message = found in $dnslist_domain
    # dnslists = sbl-xbl.spamhaus.org
    # !domains = +whitelisted_domains

    # For Spamcop, we are sending a warning and not denying the msgs unless is fails lower down.

    # warn message = X-DUL-Warning: $sender_host_address is in the SpamCop blacklist. http://www.spamcop.net/w3m?action=checkblock&ip=$sender_host_address
    # log_message = found in $dnslist_domain
    # !authenticated = *
    # dnslists = bl.spamcop.net
    # !domains = +whitelisted_domains


    # Accept bounces to lists even if callbacks or other checks would fail
    warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
    condition = \
    ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
    {yes}{no}}

    accept condition = \
    ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
    {yes}{no}}


    # Accept bounces to lists even if callbacks or other checks would fail
    warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
    condition = \
    ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
    {yes}{no}}

    accept condition = \
    ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
    {yes}{no}}

    require verify = sender

    # Accept if the address is in a local domain, but only if the recipient can
    # be verified. Otherwise deny. The "endpass" line is the border between
    # passing on to the next ACL statement (if tests above it fail) or denying
    # access (if tests below it fail).

    # This section fixes the annoying problem of spammers sending mail to users and domains that don't exist on the box.
    # Why can't Cpanel learn that this fixes their issues. In order for this to happen successful, users who want to use
    # :FAIL: should enter, :fail: no such address here! in their default control panel setting for undeliverable mail. To
    # find this section, log into the contral panel for x or x2, click on Mail setting, Default Address, Set Default
    # address and in the space provided enter, :fail: no such address here!

    accept domains = +local_domains
    endpass
    message = unknown user
    verify = recipient

    # Accept if the address is in a domain for which we are relaying, but again,
    # only if the recipient can be verified.

    accept domains = +relay_domains
    endpass
    message = unrouteable address
    verify = recipient/callout=30s/callout_defer_ok

    accept hosts = +relay_hosts
    accept condition = ${perl{checkrelayhost}{$sender_host_address}}

    accept hosts = +auth_relay_hosts
    endpass
    message = $sender_fullhost is currently not permitted to \
    relay through this server. Perhaps you \
    have not logged into the pop/imap server in the \
    last 30 minutes or do not have SMTP Authentication turned on in your email client.
    authenticated = *

    deny message = $sender_fullhost is currently not permitted to \
    relay through this server. Perhaps you \
    have not logged into the pop/imap server in the \
    last 30 minutes or do not have SMTP Authentication turned on in your email client.


    #!!# ACL that is used after the DATA command
    check_message:
    require verify = header_sender
    ##### clamav ACL, reject virus infected mails with proper error

    deny message = This message contains malformed MIME ($demime_reason).
    demime = *
    condition = ${if >{$demime_errorlevel}{2}{1}{0}}

    deny message = This message contains a virus or other harmful content \
    ($malware_name)
    demime = *
    malware = *

    deny message = Potentially executable content. If you meant to send this file \
    then please package it up as a zip file and resend it.
    demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc

    # Add X-Scanned Header

    warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

    ##### end clamav ACL
    accept

    But, in the mail log, im still getting hit with the dictionary attack:
    2004-08-03 08:11:26 H=(smtp1.alkar.net) [195.248.191.68] F=<> rejected RCPT <wei@unitedamericans.com>:
    2004-08-03 08:11:27 H=(smtp1.alkar.net) [195.248.191.68] F=<> rejected RCPT <maureen@unitedamericans.com>:
    2004-08-03 08:11:29 H=(omr-m08.mx.aol.com) [64.12.138.20] F=<> rejected RCPT <kyahn@unitedamericans.com>:
    2004-08-03 08:11:29 H=(omr-m12.mx.aol.com) [64.12.136.10] F=<> rejected RCPT <dwain@unitedamericans.com>:
    2004-08-03 08:11:29 H=(mx7.rambler.ru) [81.19.66.26] F=<postmaster@mx7.rambler.ru> rejected RCPT <jacob@unitedamericans.com>:
    2004-08-03 08:11:29 H=(mx8.rambler.ru) [81.19.66.157] F=<postmaster@mx8.rambler.ru> rejected RCPT <prasad@unitedamericans.com>:
    2004-08-03 08:11:30 H=(smtp1.alkar.net) [195.248.191.68] F=<> rejected RCPT <alex@unitedamericans.com>:
    2004-08-03 08:11:30 H=(omr-d06.mx.aol.com) [205.188.156.71] F=<> rejected RCPT <khueh@unitedamericans.com>:
    2004-08-03 08:11:30 H=(omr-m01.mx.aol.com) [64.12.138.1] F=<> rejected RCPT

    Got any tips?
     
  7. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    0
    Trophy Points:
    0
    Looks like something you copied from Aussies ruleset at Rackshack. I'm using the same ruleset without problems!
     
Loading...

Share This Page