The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

is it hotmail??

Discussion in 'E-mail Discussions' started by maverick23, Feb 11, 2006.

  1. maverick23

    maverick23 Well-Known Member

    Joined:
    Feb 23, 2005
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Just got attacked from around 35K mails from hotmail svr...all were specifically for one domain and all the emails were form same IP and subject kept changing....

    2006-02-11 22:14:31 1F7xrJ-0003dK-1L <= hzgofu@hotmail.com H=(mx4.hotmail.com) [212.106.249.159] P=esmtp S=4275 T="AWARD NOTIFICATION ndjbi"

    is it something to b worried about... all confused.... i din had much of trouble as all the mails went in blackhole but everytime the mail was sent was for a different email ID...


    at this time i have blocked this ip but the emails were cont comming in till exim went down...

    any suggestions that what is this all about or is some one trying to kill my server with DOS attacks..

    Pl. HELP

    Rajat
     
  2. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    hi,
    have you checked why they reached your server, who was the recipient. or check if they were originated from your server than rejected by the recipient domain.

    Its very important you check this as it may be possible that you have a spammer on the box.

    cheers,
    mohit
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    I agree. You need to find out who is using your server to deliver their SPAM. If that continues you might get blacklisted by Anti SPAM agencies. Have you tried sending a message to a client with an AOL account? Are you blacklisted by AOL yet?
     
    #3 AndyReed, Feb 12, 2006
    Last edited: Feb 12, 2006
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Sounds more like a dictionary attack that a spammer on the server. If it's not your server that's the originator, then you can mitigate such attacks by:

    1. Make sure you're not using a catchall alias (i.e. set the Default User to :fail:)

    2. Use a dictionary attack ACL:
    http://www.configserver.com/free/eximdeny.html
     
  5. 24x7team

    24x7team Well-Known Member

    Joined:
    Jan 16, 2006
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    really tough to find
    If a catchall set to failes, then the mail bounces ad comes back again after a time.

    Best set a catch all to :blackhole:.

    This way it willaccept mails and delete it maintaining server load calm.
     
  6. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    Good grief... when will people stop this "blackhole is best" business? Why on earth would you want to accept all that email and THEN delete it? Kill it before it even gets on your server. If it's a real mistake, they'll fix the address. If it's a spammer, they'll ignore it.

    :blackhole: wastes time, wastes bandwidth.
     
  7. maverick23

    maverick23 Well-Known Member

    Joined:
    Feb 23, 2005
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    all the mails for my domain only and there is only one domain on that server so there is no question of other things..

    Also i had default address to set "fail" but still the exim crashed..

    and dictionary attack acls r already there..also all the mails were to the ID which never existed
     
    #7 maverick23, Feb 13, 2006
    Last edited: Feb 13, 2006
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Unfortunately, that's completely wrong. You should not use :blackhole:
    http://www.configserver.com/free/fail.html
     
  9. maverick23

    maverick23 Well-Known Member

    Joined:
    Feb 23, 2005
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    i have started getting attacked on my other servers too logs are something like....



    2006-02-13 22:30:46 1F8h3x-0001Fn-Cf <= jlyjt@usa.net H=(pc) [200.121.155.43]:13873 I=[xx.xx.xx.xx]:25 P=smtp S=13060 id=46532636238741678747530.&3huC2822@usa.net T="Re:" from <jlyjt@usa.net> for ataljiashooashoomarwaha@xxxxxx.com


    What can i do... the mails are hittin server like anything and cont load is increasing....

    and all the mails are just for a single domain...
     
  10. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    as Jonathan just explained in the post above stop using your catch all set it fail and set up a dictionary attack ACL
    you could go a step further and set up RBL blacklist ACL's as well
     
  11. maverick23

    maverick23 Well-Known Member

    Joined:
    Feb 23, 2005
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    well said but i already have all the accounts set to :fail: and dictionary attack and RBL listing configured....

    here is the third seciton of my exim.conf

    is there is anything more left to be included..?


    #!!# ACL that is used after the RCPT command
    check_recipient:
    # Exim 3 had no checking on -bs messages, so for compatibility
    # we accept if the source is local SMTP (i.e. not over TCP/IP).
    # We do this by testing for an empty sending host field.
    accept hosts = :

    drop hosts = /etc/exim_deny
    !hosts = /etc/exim_deny_whitelist
    message = Connection denied after dictionary attack
    log_message = Connection denied from $sender_host_address after dictionary attack
    !hosts = +relay_hosts
    !authenticated = *


    drop message = Appears to be a dictionary attack
    log_message = Dictionary attack (after $rcpt_fail_count failures)
    condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
    condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
    !verify = recipient
    !hosts = /etc/exim_deny_whitelist
    !hosts = +relay_hosts
    !authenticated = *

    # Accept bounces to lists even if callbacks or other checks would fail



    #**#
    #**# RBL List Begin
    #**#
    #
    # Always accept mail to postmaster & abuse in any local domain
    #
    accept domains = +local_domains


    # Check sending hosts against DNS black lists.
    # Reject message if address listed in blacklist.
    warn message = Message rejected because $sender_fullhost \
    is blacklisted at $dnslist_domain see $dnslist_text
    dnslists = relays.ordb.org

    # RBL Bypass Local Domain List
    !domains = +rbl_bypass

    # RBL Whitelist incoming hosts
    !hosts = +rbl_whitelist

    #**#
    #**# RBL List End
    #**#

    # Accept bounces to lists even if callbacks or other checks would fail
    warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
    condition = \
    ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
    {yes}{no}}

    accept condition = \
    ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
    {yes}{no}}


    # Accept bounces to lists even if callbacks or other checks would fail
    warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
    condition = \
    ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
    {yes}{no}}

    accept condition = \
    ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
    {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
    {yes}{no}}

    #if it gets here it isn't mailman

    #sender verifications are required for all messages that are not sent to lists

    require verify = sender
    accept domains = +local_domains
    endpass

    #recipient verifications are required for all messages that are not sent to the local machine
    #this was done at multiple users requests

    message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
    verify = recipient

    accept domains = +relay_domains

    warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
    hosts = +relay_hosts
    accept hosts = +relay_hosts

    warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
    condition = ${perl{checkrelayhost}{$sender_host_address}}
    accept condition = ${perl{checkrelayhost}{$sender_host_address}}

    accept hosts = +auth_relay_hosts
    endpass
    message = $sender_fullhost is currently not permitted to \
    relay through this server. Perhaps you \
    have not logged into the pop/imap server in the \
    last 30 minutes or do not have SMTP Authentication turned on in your email client.
    authenticated = *

    deny message = $sender_fullhost is currently not permitted to \
    relay through this server. Perhaps you \
    have not logged into the pop/imap server in the \
    last 30 minutes or do not have SMTP Authentication turned on in your email client.


    #!!# ACL that is used after the DATA command
    check_message:
    require verify = header_sender

    ##### clamav ACL, reject virus infected mails with proper error

    deny message = This message contains malformed MIME ($demime_reason).
    demime = *
    condition = ${if >{$demime_errorlevel}{2}{1}{0}}

    deny message = This message contains a virus or other harmful content \
    ($malware_name)
    demime = *
    malware = *

    deny message = Potentially executable content. If you meant to send this file \
    then please package it up as a zip file and resend it.
    demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc

    # Add X-Scanned Header

    warn message = X-Antivirus-Scanner: Crystalcore Internet Services delivered this message #virus-free, however we still encourage the use of a virusscanner.

    ##### end clamav ACL


    accept
     
  12. maverick23

    maverick23 Well-Known Member

    Joined:
    Feb 23, 2005
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    2006-02-13 23:06:24 1F8hcd-0005Qx-PZ <= impiy@jacgb.jnj.com H=(webk.net) [84.130.114.237] P=smtp S=3723 id=000001c630c3$e3e1cd60$4675a8c0@indeterminate T="Re: v2 427 good news"
    2006-02-13 23:06:24 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8hcd-0005Qx-PZ
    2006-02-13 23:06:24 1F8hcd-0005Qx-PZ ** blackhole@xxx.myhostname.xxx <aloksrivastavaaloksrivastava@xxxxxx.com>: Unrouteable address


    also it seems like the IP is spoofed cuz everytime this mail is coming the ip is different... and all are hiting my hostname...
     
Loading...

Share This Page