The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Multi-site email spam attack

Discussion in 'Security' started by Fbarajas, Apr 22, 2013.

  1. Fbarajas

    Fbarajas Active Member

    Joined:
    Jul 15, 2004
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Playa del Carmen, Mexico
    Hi!

    I'm using lfd's AUTHRELAY to block an IP if they send more than 100 mails. But now, some spammer got the password of 2 accounts, and it's relaying through several IPs. That is, when one IP gets blocked by lfd, it starts sending spam from another IP from another country:

    Type: AUTHRELAY, Remote IP - 61.4.83.39 (CN/China/-)
    Count: 101 emails relayed
    Blocked: Temporary Block

    Type: AUTHRELAY, Remote IP - 85.214.40.32 (DE/Germany/h1922363.stratoserver.net)
    Count: 101 emails relayed
    Blocked: Temporary Block

    Type: AUTHRELAY, Remote IP - 87.238.161.78 (BE/Belgium/-)
    Count: 101 emails relayed
    Blocked: Temporary Block

    Type: AUTHRELAY, Remote IP - 212.80.20.240 (IR/Iran, Islamic Republic of/-)
    Count: 101 emails relayed
    Blocked: Temporary Block

    Type: AUTHRELAY, Remote IP - 94.23.146.176 (NL/Netherlands/-)
    Count: 101 emails relayed
    Blocked: Temporary Block

    When I detected the problem, I changed the compromised email account password.

    What else can I do? Is there a way to prevent this from happening again?

    Thanks!
     
  2. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    You should scan the local machine that you use to manage the compromised email account and make sure that its free from virus/trojan.

    Thanks!
     
  3. Fbarajas

    Fbarajas Active Member

    Joined:
    Jul 15, 2004
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Playa del Carmen, Mexico
    Yes, I already did that. Is there anyway I can protect the server from this kind of attacks?

    Thanks!
     
  4. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    If you use ConfigServer Firewall you can try the below section which can be used to detect multiple IPs being used to send mail for an account and set triggers for when it should start blocking all the involved IPs automatically. Granted this could block your user's valid IP, but that's a small price to pay to cut off spam sending relatively quickly automatically. You could always re-enable the user's IP when dealing with the issue.

    Code:
    # Distributed SMTP Logins. This option will keep track of successful SMTP
    # logins. If the number of successful logins to an individual account is at
    # least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP
    # addresses, then all of the IP addresses will be blocked. These options only
    # apply to the exim MTA
    #
    # This option can help mitigate the common SMTP account compromise attacks that
    # use a distributed network of zombies to send spam
    #
    # A sensible setting for this might be 5, depending on how many different
    # IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL
    #
    # To disable set to "0"
    LF_DISTSMTP = 4
    
    # Set the following to the minimum number of unique IP addresses that trigger
    # LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
    LF_DISTSMTP_UNIQ = 3
    
    # If this option is set to 1 the blocks will be permanent
    # If this option is > 1, the blocks will be temporary for the specified number
    # of seconds
    LF_DISTSMTP_PERM = 1
    
    # This is the interval during which a distributed FTP or SMTP attack is
    # measured
    LF_DIST_INTERVAL = 900
     
  5. Fbarajas

    Fbarajas Active Member

    Joined:
    Jul 15, 2004
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Playa del Carmen, Mexico
    Thanks kdean. That was just what I was looking for :)
     
  6. krival96

    krival96 Registered

    Joined:
    Mar 1, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    how can i use this ?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page