Exim ACL to block buffer overflow attempts

lshaw

Member
May 24, 2007
7
0
151
One of our cPanel servers has been getting bombarded by a (mostly) LACNIC botnet attempting an (presumed) antiquated buffer overflow exploit for versions of Exim < 4.7. Since our server is running 4.80.1 I believe the attempts have been successfully thwarted, however this has created another problem: exim log size.

Understand that so far, since log rotation on Sunday, over 52000 unique IPs have made these buffer overflow attempts - some only 2 or 3 attempts, others thousands. Each time one does it creates log entries similar to this (this has been washed through 'strings' to make it more human friendly):

Code:
2013-07-10 19:39:58 [4927] SMTP syntax error in "\235\3112\225F\370|\226\322"   \0167J\001\230\270\214\340\227\274\307l\017\245k\302\020\225S\220\231\342\205\344\234\246\262\257\235*L\025\236(\257\243\234\247G    \235\007\023\305\237}F\315\236\271\017\303\240t\270\344\237  =\003\240#;\202\240\247\324\361\2427j\314\241.\325\241\242\371]\222\244\271f\312\242\3530|\243!\311\341\243\305\311&\245\240\303^\245\261d\004\035kns\036}\212\016\247\350\272\331\252\024\032\305\250;\354\244\226A\202\211\251fE<\252*\262T\252\005}\006\253\270~,\254\222k7\003Gmq\255\345?\264\255\272\333\300\256Vp\177\256\177\242\313\2563^k\257\201\302\003\260\226\2166\260]\317\224\260\316V\214\261y\224\376\f:\226D\262\244\306\017\263\022=\020'\256\205\207\266\274/\234,\277\313=\2703"#\2669]\257-\277'a.3Q\354\267s\351Q\270N\241p\271\232\005     \272    |\265\271Q\026\033\272dF\233-\255D\346\272f\023\337\273\301\335\220\274\343\017\335\274\021n\255\275IA\237\276\3564\321\277\034\003\220\300>\302     \302\033['\301a\277\206\303B\236=\035\004\034\236\304\300\216\357\302!\267\202\305+\277\272\303\037\232\3677\272!\322\304\007\206\2368\373\331o\306\177\254|\310\347\272\3769\027\354Z:\224s,\312\266g{;\364E\026\311|.+=s=\314%\337\330\370\312\323,\376\313{\241]?\351\373\b\317=\224n\3170\217\353\320\261\255lB\333CdD|\315\363*\371V\233\322\336]\323\320 \R\321\227\352\376\323bZ\321\321j\265\260\324K\264/\325J\207\232\323\315\203\230\324?\253\252\327|\371\217I\367\256AJ\023{\023\327\203Z&K||\2253d\005=\333C\317\356\333~\244\332\331\245\326&\332A\314\354\334V>\233\333\261\bM\334\021-\203\336\3673\273\334\330\216\232\337\324\234\bQ\240b\005\336m\275\344\340?Qw     m\267\340\342afcT\346\027\004\f\346R|\342&\232)V\223\266;Z\221\201'W\307\031,\344 \344\335\344b\342\\345\376\327"\3502p\210\350\030w\300\346/\023\002\3502\321\036\352\v\253\260_\365\       `Cub`\023\203\352a\022\363\231iS\341\033j\032\354\351b\357\311N\354W\372\031\355\346\1\356\r\217}\356A'\343\356\202%b\357\266\275\307\357+T\254\360lR+\361\336\266\303\361\342\350\017\362"\347\216\362o\254\204\363\320K'\363\260I\246\363\377L\341\363\211\263\344k^\3450l\334t\356\365*\331\206\366i\247\024\370s\200\312k\226\342Kx\353\002\347p)\\254\374fc\344\372H'^\375b\007Br\353\375{\376N\220\255\374\222a\206t\241v\352tt)8uwm\215v\242\355A\377" H=[190.42.187.64]:49322 I=[64.140.224.205]:25 NULL character(s) present (shown as '?')
This is resulting in incredibly large log files that are actually causing some disk space concerns. Of course I could increase the amount of disk space available to /var, or I could change log rotation schedules. But I would like to find a more eloquent solution. My ideas are:

  • Exim logging tweak - configure the Exim logging facility in such a way as to not log errors when 'syntax errors' or 'too many unrecognized commands' is encountered. (Currently it is set to log_selector = +all)
  • Exim ACL - Build an ACL that says something like 'too many errors like the above, ban the IP'.

Unfortunately, I do not know how to do either of these things, and the google searching I've done has not yielded results that I can easily comprehend. I've also gone through the Exim documentation on ACL's and there too I cannot quite grasp how to do either of these things.

So I turn to you, cPanel community at large (and any cPanel techs that might stumble upon this). Would anyone be able to offer advice on how to accomplish either of the above, or perhaps offer an alternative solution to the problem?

I thank you in advance for your time and consideration.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
Hello :)

You could modify the "log_selector" entry in your Exim configuration to reduce the logging output. The following documentation may be helpful:

Exim - Log Files

On the above document, scroll to:

15. Reducing or increasing what is logged

One of the optional log items is "smtp_syntax_error".

Thank you.
 

lshaw

Member
May 24, 2007
7
0
151
Hello :)

You could modify the "log_selector" entry in your Exim configuration to reduce the logging output. The following documentation may be helpful:

Exim - Log Files

On the above document, scroll to:

15. Reducing or increasing what is logged

One of the optional log items is "smtp_syntax_error".

Thank you.
Well don't I feel silly. That worked perfectly, thank you very much for your help.
 

nyoman

Member
Nov 25, 2008
24
0
51
Thanks @cPanelMichael
This is just to reduce exim_mainlog
On my server, when i tail -f with putty i will got error in the putty

PuTTYPuTTYPuTTYPuTTYPuTTY2013-08-28 17:28:14 SMTP connection from a10-34.xxxxxx [x.y.z.34]:46929 I=[198.x.y.z]:25 lost (error: Connection reset by peer)
2013-08-28 1¡ÊÃ")14 SMTP call from [94.126.153.101]:61884 I=[198.x.y.z]:25 dropped: too many syntax or protocol errors (last command was "]
f9MJÃ×öF®¶¼?

And how to know if the ACL is working for this attack ?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
2013-08-28 17:28:14 SMTP connection from a10-34.xxxxxx [x.y.z.34]:46929 I=[198.x.y.z]:25 lost (error: Connection reset by peer)
2013-08-28 1¡ÊÃ")14 SMTP call from [94.126.153.101]:61884 I=[198.x.y.z]:25 dropped: too many syntax or protocol errors (last command was "]
This looks more like a case where a spammer is using too many commands at SMTP time with a mailer script. You may want to block the IP address making the connection in your firewall.

Thank you.
 

nyoman

Member
Nov 25, 2008
24
0
51
This looks more like a case where a spammer is using too many commands at SMTP time with a mailer script. You may want to block the IP address making the connection in your firewall.

Thank you.
I can not block the IP manually sir :)
There is many IP trying attack the server.

Try using fail2ban but no luck.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
I can not block the IP manually sir :)
There is many IP trying attack the server.Try using fail2ban but no luck.
You may want to open a new thread in the "Security" forum here for additional advice, as this issue is a but different than the original topic on this thread.

Thank you.