SMTP attack lasting for months. What can I do?

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
I see a constant parade of entries like this in exim_mainlog:

Code:
2013-12-19 04:41:15 SMTP connection from [202.164.47.101]:63433 (TCP/IP connection count = 51)
2013-12-19 04:41:15 SMTP connection from [91.150.70.52]:10056 (TCP/IP connection count = 52)
2013-12-19 04:41:15 SMTP connection from [122.167.40.0]:28753 lost
2013-12-19 04:41:15 SMTP connection from 36.65.2.109.rev.sfr.net [109.2.65.36]:63299 lost
2013-12-19 04:41:15 no IP address found for host static-dsl.nesma.net.sa (during SMTP connection from [85.129.205.35]:55490)
2013-12-19 04:41:15 SMTP connection from [82.80.164.41]:50177 (TCP/IP connection count = 51)
2013-12-19 04:41:15 SMTP connection from [88.215.44.129]:61336 (TCP/IP connection count = 52)
2013-12-19 04:41:15 no host name found for IP address 88.215.44.129
2013-12-19 04:41:15 SMTP connection from [2.146.82.74]:54857 (TCP/IP connection count = 53)
2013-12-19 04:41:15 no host name found for IP address 2.146.82.74
2013-12-19 04:41:15 SMTP connection from (00011ed8.fxzooterpion.us) [31.14.23.131]:53157 closed by QUIT
2013-12-19 04:41:15 no host name found for IP address 91.150.70.52
2013-12-19 04:41:16 SMTP connection from smtp-out.vclk.net [64.70.58.135]:29156 closed by QUIT
2013-12-19 04:41:16 SMTP connection from [89.91.237.135]:60371 (TCP/IP connection count = 52)
2013-12-19 04:41:16 no host name found for IP address 202.164.47.101
2013-12-19 04:41:16 SMTP connection from [101.59.153.182]:53997 (TCP/IP connection count = 53)
2013-12-19 04:41:16 no host name found for IP address 101.59.153.182
2013-12-19 04:41:16 SMTP connection from [173.184.61.186]:37823 (TCP/IP connection count = 54)
2013-12-19 04:41:16 SMTP call from h186.61.184.173.static.ip.windstream.net [173.184.61.186]:37823 dropped: too many syntax or protocol errors (last command was "Û.ÒrR{·¸Ý_"RStg¶?ZQ:àÈ=VÉÉW#qn[¶Ð!\»§Iå©:****æð_ó¹éEW}a¥å‡bù‚šì“ìPî¤`™ï")
2013-12-19 04:41:16 SMTP connection from [122.255.14.57]:2444 (TCP/IP connection count = 54)
2013-12-19 04:41:16 SMTP connection from [139.190.182.242]:17123 (TCP/IP connection count = 55)
2013-12-19 04:41:16 SMTP connection from [88.209.85.27]:21783 (TCP/IP connection count = 56)
2013-12-19 04:41:16 SMTP connection from [91.239.218.134]:48311 (TCP/IP connection count = 57)
2013-12-19 04:41:16 SMTP connection from [62.28.160.151]:55656 lost
2013-12-19 04:41:16 SMTP connection from [217.133.103.149]:50821 (TCP/IP connection count = 57)
2013-12-19 04:41:16 SMTP connection from ocs.co.id [202.169.35.82]:19153 lost
2013-12-19 04:41:16 SMTP connection from [113.169.35.235]:34844 (TCP/IP connection count = 57)
2013-12-19 04:41:16 SMTP connection from [111.240.25.98]:25178 (TCP/IP connection count = 58)

Obviously these are attacks against our email server. Is there anything else I can do, other than limit the number of max connections in the exim config? I've also switched on the new exim syntax error blocking in CSF. But how long can this sort of thing continue? We've seen this ever since I installed this new server back in October.
 

Archmactrix

Well-Known Member
Jan 20, 2012
138
2
68
cPanel Access Level
Root Administrator
Hello :)

There is a thread similar to this at:

Sustained Exim Attack

Thank you.
The other topic mentions custom CSF rule and later on a new option in the CSF for syntax or protocol errors (LF_EXIMSYNTAX).

This is not helpful in my own case. I have similar entries in my exim_mainlog like the topic starter here and the server was hit with this yesterday by one IP for about half an hour.

The entries are 5148 in total for this IP for half an hour.

Code:
2013-12-18	16:48:52	SMTP	connection	from	[37.0.121.137]:60522	(TCP/IP	connection	count	=	1)
[...]
2013-12-18	17:20:47	SMTP	connection	from	[37.0.121.137]:52942	(TCP/IP	connection	count	=	8)
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
Beyond limiting the number of connections permitted with Exim, it's really a matter of implementing custom firewall rules to block the attack. It's not something that the cPanel/WHM software will be able to mitigate.

Thank you.