Filtering SMTP abuse with CSF?

Razva

Member
Aug 30, 2012
16
1
3
cPanel Access Level
Root Administrator
Hello,

Lately I'm seeing a lot of incoming SMTP traffic, which is rejected by EXIM.

Example:
Code:
2019-04-02 18:29:24 Connection from [85.117.56.68]:59957 refused: too many connections
2019-04-02 18:29:24 SMTP connection from net-2-45-190-15.cust.vodafonedsl.it [2.45.190.15]:28532 lost D=5s
2019-04-02 18:29:24 SMTP connection from [58.187.54.168]:41794 (TCP/IP connection count = 20)
2019-04-02 18:29:24 Connection from [212.58.114.238]:7242 refused: too many connections
2019-04-02 18:29:24 Connection from [93.43.177.139]:21547 refused: too many connections
2019-04-02 18:29:24 SMTP connection from [89.237.193.46]:30978 closed by QUIT
2019-04-02 18:29:24 SMTP connection from [195.158.25.219]:42732 lost D=5s
2019-04-02 18:29:24 SMTP connection from [58.187.54.168]:20416 lost D=5s
2019-04-02 18:29:24 SMTP connection from [91.233.82.191]:58645 (TCP/IP connection count = 18)
2019-04-02 18:29:25 SMTP connection from [178.122.48.204]:1038 (TCP/IP connection count = 19)
2019-04-02 18:29:25 SMTP connection from [201.240.154.90]:61310 (TCP/IP connection count = 20)
2019-04-02 18:29:25 Connection from [89.237.192.180]:11340 refused: too many connections
2019-04-02 18:29:25 Connection from [188.170.73.74]:5499 refused: too many connections
2019-04-02 18:29:25 Connection from [195.225.231.217]:14276 refused: too many connections
2019-04-02 18:29:25 Connection from [95.59.225.66]:17143 refused: too many connections
2019-04-02 18:29:25 SMTP connection from [78.7.108.194]:52370 lost D=5s
2019-04-02 18:29:25 SMTP connection from [84.53.237.1]:32376 (TCP/IP connection count = 20)
2019-04-02 18:29:25 Connection from [130.193.120.32]:55245 refused: too many connections
2019-04-02 18:29:25 Connection from [154.120.93.30]:48987 refused: too many connections
2019-04-02 18:29:25 Connection from [89.237.192.180]:14844 refused: too many connections
2019-04-02 18:29:25 Connection from [217.59.234.10]:54811 refused: too many connections
2019-04-02 18:29:25 SMTP connection from host99-109-static.41-88-b.business.telecomitalia.it [88.41.109.99]:62714 lost D=5s
2019-04-02 18:29:26 SMTP connection from [58.187.54.168]:15312 lost D=5s
2019-04-02 18:29:26 SMTP connection from [58.145.191.249]:59469 (TCP/IP connection count = 19)
2019-04-02 18:29:26 SMTP connection from [95.58.113.94]:12139 lost D=5s
2019-04-02 18:29:26 SMTP connection from [95.78.159.137]:61100 (TCP/IP connection count = 19)
2019-04-02 18:29:26 SMTP connection from [102.107.165.69]:55804 (TCP/IP connection count = 20)
2019-04-02 18:29:26 Connection from [116.193.161.106]:59503 refused: too many connections
2019-04-02 18:29:26 no host name found for IP address 102.107.165.69
2019-04-02 18:29:26 Connection from [41.94.87.2]:56450 refused: too many connections
2019-04-02 18:29:26 Connection from [178.64.15.142]:15812 refused: too many connections
2019-04-02 18:29:26 Connection from [42.113.153.155]:38796 refused: too many connections
2019-04-02 18:29:26 Connection from [185.74.102.23]:58144 refused: too many connections
2019-04-02 18:29:26 Connection from [191.89.211.49]:50738 refused: too many connections
2019-04-02 18:29:26 Connection from [178.17.206.2]:63274 refused: too many connections
2019-04-02 18:29:27 Connection from [31.47.135.206]:6191 refused: too many connections
2019-04-02 18:29:27 Connection from [89.237.192.180]:14767 refused: too many connections
2019-04-02 18:29:27 Connection from [213.108.19.155]:2349 refused: too many connections
2019-04-02 18:29:27 Connection from [94.190.86.131]:16983 refused: too many connections
2019-04-02 18:29:27 SMTP connection from [37.212.205.4]:23829 lost D=5s
2019-04-02 18:29:27 SMTP connection from [111.91.107.103]:48708 (TCP/IP connection count = 20)
2019-04-02 18:29:27 SMTP connection from [42.110.227.192]:4127 lost D=5s
2019-04-02 18:29:27 SMTP connection from [87.247.37.118]:28895 (TCP/IP connection count = 20)
2019-04-02 18:29:27 Connection from [42.110.227.192]:43645 refused: too many connections
2019-04-02 18:29:27 SMTP connection from [95.47.184.104]:30138 lost D=7s
2019-04-02 18:29:28 SMTP connection from [83.139.131.57]:40943 (TCP/IP connection count = 20)
2019-04-02 18:29:28 no host name found for IP address 83.139.131.57
2019-04-02 18:29:28 Connection from [95.78.159.137]:61142 refused: too many connections
2019-04-02 18:29:28 Connection from [83.139.131.57]:40964 refused: too many connections
2019-04-02 18:29:28 Connection from [39.40.5.115]:51608 refused: too many connections
2019-04-02 18:29:28 Connection from [212.34.38.70]:2567 refused: too many connections
2019-04-02 18:29:28 SMTP connection from [120.188.33.37]:9966 lost D=5s
2019-04-02 18:29:28 SMTP connection from [185.22.217.118]:15794 (TCP/IP connection count = 20)
I've set CONNLIMIT but it doesn't seem to have any result. The setting is as follows:
Code:
80;75 21;50 110;20 995;20 143;20 993;20 25;20 26;20 587;20 465;20
EXIM is dropping connections, because I set 20 as max connections, but I have no idea why CSF is not blocking them.

Any hints on what I'm doing wrong?

Thank you,
Razva
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
This looks like it is resulting in a large number of connections getting dropped, what makes you think the connlimits aren't working? As far as why CSF isn't blocking them, it's not going to block connection attempts that aren't able to connect due to connection limiting.