The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ratelimit Backscatter ACL ?

Discussion in 'E-mail Discussions' started by RickG, Jul 18, 2008.

  1. RickG

    RickG Well-Known Member

    Joined:
    Feb 28, 2005
    Messages:
    238
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    North Carolina
    Is there away to apply (or create a new) ACL to ratelimit a form of spam?

    We're seeing a lot of activity that looks like the snippet below. I know this is not backscatter in the traditional sense as its all coming from the same source ... its just unusual one user is being targeted vs. a dictionary attack.

    Notice the mail is from the same IP. It has passed a slew of HELO/EHLO tests as well as made it through major RBL checks in order to arrive at the User Unknown (require verify = recipient) stage.

    I'd like to be able to ratelimit this type of repetitive connection as its wasting resources going through RBL and spam checks.

    Any suggestions would be appreciated.

    Code:
    2008-07-18 03:25:44 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Polina@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
    2008-07-18 03:25:46 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<JUlija@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
    2008-07-18 03:25:48 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Veronika@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
    2008-07-18 03:25:50 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Vera@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
    2008-07-18 03:25:53 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Ivan@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
    2008-07-18 03:25:55 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Nina@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
    2008-07-18 03:25:57 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Anton@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
    2008-07-18 03:25:59 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Maksim@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
    2008-07-18 03:26:02 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Filipp@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
    2008-07-18 03:26:04 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Viktorija@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
    
     
  2. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    And why does "Attempt to block dictionary attacks" not do it for you?
     
  3. RickG

    RickG Well-Known Member

    Joined:
    Feb 28, 2005
    Messages:
    238
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    North Carolina
    Great question.

    If you'll look at the snippet from the maillog you'll see that the from address is changed with every message, even though they are all from the same host / IP.

    This has always been a way to "bypass" the Dictionary Attack script, even when it was under Chirpy's fine control. Once a spammer figures out how many messages it takes before they are blocked, they change the number of repetitions of each from address. We've watched this in our maillog ... if we lower the "$rcpt_fail_count" value it will hold for a few days, but then the spammers change the repititions of messages (using unique from addresses) trying to bypass the block.
     
  4. websnail.net

    websnail.net Active Member

    Joined:
    Mar 24, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    I've been seeing something very similar with my server.

    It seems that the script/bot is using the "Sender Verification Callouts" and a dictionary attack to find the valid email addresses and then using the valid responses as the faked sender for their spam.

    In effect using the restrictions and requirements against us.

    Net result is a massive amount of backscatter spam into the thousands.

    Any thoughts?



    EDIT: Forget that is sounds like I missed the announcement about Chirpys solution being exploited.

    Looking like I have a much bigger problem to worry about now. :/
     
    #4 websnail.net, Jul 31, 2008
    Last edited: Jul 31, 2008
Loading...

Share This Page