Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Filtering SMTP abuse with CSF?

Discussion in 'Security' started by Razva, Apr 2, 2019.

  1. Razva

    Razva Member

    Joined:
    Aug 30, 2012
    Messages:
    16
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello,

    Lately I'm seeing a lot of incoming SMTP traffic, which is rejected by EXIM.

    Example:
    Code:
    2019-04-02 18:29:24 Connection from [85.117.56.68]:59957 refused: too many connections
    2019-04-02 18:29:24 SMTP connection from net-2-45-190-15.cust.vodafonedsl.it [2.45.190.15]:28532 lost D=5s
    2019-04-02 18:29:24 SMTP connection from [58.187.54.168]:41794 (TCP/IP connection count = 20)
    2019-04-02 18:29:24 Connection from [212.58.114.238]:7242 refused: too many connections
    2019-04-02 18:29:24 Connection from [93.43.177.139]:21547 refused: too many connections
    2019-04-02 18:29:24 SMTP connection from [89.237.193.46]:30978 closed by QUIT
    2019-04-02 18:29:24 SMTP connection from [195.158.25.219]:42732 lost D=5s
    2019-04-02 18:29:24 SMTP connection from [58.187.54.168]:20416 lost D=5s
    2019-04-02 18:29:24 SMTP connection from [91.233.82.191]:58645 (TCP/IP connection count = 18)
    2019-04-02 18:29:25 SMTP connection from [178.122.48.204]:1038 (TCP/IP connection count = 19)
    2019-04-02 18:29:25 SMTP connection from [201.240.154.90]:61310 (TCP/IP connection count = 20)
    2019-04-02 18:29:25 Connection from [89.237.192.180]:11340 refused: too many connections
    2019-04-02 18:29:25 Connection from [188.170.73.74]:5499 refused: too many connections
    2019-04-02 18:29:25 Connection from [195.225.231.217]:14276 refused: too many connections
    2019-04-02 18:29:25 Connection from [95.59.225.66]:17143 refused: too many connections
    2019-04-02 18:29:25 SMTP connection from [78.7.108.194]:52370 lost D=5s
    2019-04-02 18:29:25 SMTP connection from [84.53.237.1]:32376 (TCP/IP connection count = 20)
    2019-04-02 18:29:25 Connection from [130.193.120.32]:55245 refused: too many connections
    2019-04-02 18:29:25 Connection from [154.120.93.30]:48987 refused: too many connections
    2019-04-02 18:29:25 Connection from [89.237.192.180]:14844 refused: too many connections
    2019-04-02 18:29:25 Connection from [217.59.234.10]:54811 refused: too many connections
    2019-04-02 18:29:25 SMTP connection from host99-109-static.41-88-b.business.telecomitalia.it [88.41.109.99]:62714 lost D=5s
    2019-04-02 18:29:26 SMTP connection from [58.187.54.168]:15312 lost D=5s
    2019-04-02 18:29:26 SMTP connection from [58.145.191.249]:59469 (TCP/IP connection count = 19)
    2019-04-02 18:29:26 SMTP connection from [95.58.113.94]:12139 lost D=5s
    2019-04-02 18:29:26 SMTP connection from [95.78.159.137]:61100 (TCP/IP connection count = 19)
    2019-04-02 18:29:26 SMTP connection from [102.107.165.69]:55804 (TCP/IP connection count = 20)
    2019-04-02 18:29:26 Connection from [116.193.161.106]:59503 refused: too many connections
    2019-04-02 18:29:26 no host name found for IP address 102.107.165.69
    2019-04-02 18:29:26 Connection from [41.94.87.2]:56450 refused: too many connections
    2019-04-02 18:29:26 Connection from [178.64.15.142]:15812 refused: too many connections
    2019-04-02 18:29:26 Connection from [42.113.153.155]:38796 refused: too many connections
    2019-04-02 18:29:26 Connection from [185.74.102.23]:58144 refused: too many connections
    2019-04-02 18:29:26 Connection from [191.89.211.49]:50738 refused: too many connections
    2019-04-02 18:29:26 Connection from [178.17.206.2]:63274 refused: too many connections
    2019-04-02 18:29:27 Connection from [31.47.135.206]:6191 refused: too many connections
    2019-04-02 18:29:27 Connection from [89.237.192.180]:14767 refused: too many connections
    2019-04-02 18:29:27 Connection from [213.108.19.155]:2349 refused: too many connections
    2019-04-02 18:29:27 Connection from [94.190.86.131]:16983 refused: too many connections
    2019-04-02 18:29:27 SMTP connection from [37.212.205.4]:23829 lost D=5s
    2019-04-02 18:29:27 SMTP connection from [111.91.107.103]:48708 (TCP/IP connection count = 20)
    2019-04-02 18:29:27 SMTP connection from [42.110.227.192]:4127 lost D=5s
    2019-04-02 18:29:27 SMTP connection from [87.247.37.118]:28895 (TCP/IP connection count = 20)
    2019-04-02 18:29:27 Connection from [42.110.227.192]:43645 refused: too many connections
    2019-04-02 18:29:27 SMTP connection from [95.47.184.104]:30138 lost D=7s
    2019-04-02 18:29:28 SMTP connection from [83.139.131.57]:40943 (TCP/IP connection count = 20)
    2019-04-02 18:29:28 no host name found for IP address 83.139.131.57
    2019-04-02 18:29:28 Connection from [95.78.159.137]:61142 refused: too many connections
    2019-04-02 18:29:28 Connection from [83.139.131.57]:40964 refused: too many connections
    2019-04-02 18:29:28 Connection from [39.40.5.115]:51608 refused: too many connections
    2019-04-02 18:29:28 Connection from [212.34.38.70]:2567 refused: too many connections
    2019-04-02 18:29:28 SMTP connection from [120.188.33.37]:9966 lost D=5s
    2019-04-02 18:29:28 SMTP connection from [185.22.217.118]:15794 (TCP/IP connection count = 20)
    I've set CONNLIMIT but it doesn't seem to have any result. The setting is as follows:
    Code:
    80;75 21;50 110;20 995;20 143;20 993;20 25;20 26;20 587;20 465;20
    EXIM is dropping connections, because I set 20 as max connections, but I have no idea why CSF is not blocking them.

    Any hints on what I'm doing wrong?

    Thank you,
    Razva
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,466
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    This looks like it is resulting in a large number of connections getting dropped, what makes you think the connlimits aren't working? As far as why CSF isn't blocking them, it's not going to block connection attempts that aren't able to connect due to connection limiting.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice