The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SMTP attack lasting for months. What can I do?

Discussion in 'E-mail Discussions' started by jols, Dec 19, 2013.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I see a constant parade of entries like this in exim_mainlog:

    Code:
    2013-12-19 04:41:15 SMTP connection from [202.164.47.101]:63433 (TCP/IP connection count = 51)
    2013-12-19 04:41:15 SMTP connection from [91.150.70.52]:10056 (TCP/IP connection count = 52)
    2013-12-19 04:41:15 SMTP connection from [122.167.40.0]:28753 lost
    2013-12-19 04:41:15 SMTP connection from 36.65.2.109.rev.sfr.net [109.2.65.36]:63299 lost
    2013-12-19 04:41:15 no IP address found for host static-dsl.nesma.net.sa (during SMTP connection from [85.129.205.35]:55490)
    2013-12-19 04:41:15 SMTP connection from [82.80.164.41]:50177 (TCP/IP connection count = 51)
    2013-12-19 04:41:15 SMTP connection from [88.215.44.129]:61336 (TCP/IP connection count = 52)
    2013-12-19 04:41:15 no host name found for IP address 88.215.44.129
    2013-12-19 04:41:15 SMTP connection from [2.146.82.74]:54857 (TCP/IP connection count = 53)
    2013-12-19 04:41:15 no host name found for IP address 2.146.82.74
    2013-12-19 04:41:15 SMTP connection from (00011ed8.fxzooterpion.us) [31.14.23.131]:53157 closed by QUIT
    2013-12-19 04:41:15 no host name found for IP address 91.150.70.52
    2013-12-19 04:41:16 SMTP connection from smtp-out.vclk.net [64.70.58.135]:29156 closed by QUIT
    2013-12-19 04:41:16 SMTP connection from [89.91.237.135]:60371 (TCP/IP connection count = 52)
    2013-12-19 04:41:16 no host name found for IP address 202.164.47.101
    2013-12-19 04:41:16 SMTP connection from [101.59.153.182]:53997 (TCP/IP connection count = 53)
    2013-12-19 04:41:16 no host name found for IP address 101.59.153.182
    2013-12-19 04:41:16 SMTP connection from [173.184.61.186]:37823 (TCP/IP connection count = 54)
    2013-12-19 04:41:16 SMTP call from h186.61.184.173.static.ip.windstream.net [173.184.61.186]:37823 dropped: too many syntax or protocol errors (last command was "Û.ÒrR{·¸Ý_"RStg¶?ZQ:àÈ=VÉÉW#qn[¶Ð!\»§Iå©:****æð_ó¹éEW}a¥å‡bù‚šì“ìPî¤`™ï")
    2013-12-19 04:41:16 SMTP connection from [122.255.14.57]:2444 (TCP/IP connection count = 54)
    2013-12-19 04:41:16 SMTP connection from [139.190.182.242]:17123 (TCP/IP connection count = 55)
    2013-12-19 04:41:16 SMTP connection from [88.209.85.27]:21783 (TCP/IP connection count = 56)
    2013-12-19 04:41:16 SMTP connection from [91.239.218.134]:48311 (TCP/IP connection count = 57)
    2013-12-19 04:41:16 SMTP connection from [62.28.160.151]:55656 lost
    2013-12-19 04:41:16 SMTP connection from [217.133.103.149]:50821 (TCP/IP connection count = 57)
    2013-12-19 04:41:16 SMTP connection from ocs.co.id [202.169.35.82]:19153 lost
    2013-12-19 04:41:16 SMTP connection from [113.169.35.235]:34844 (TCP/IP connection count = 57)
    2013-12-19 04:41:16 SMTP connection from [111.240.25.98]:25178 (TCP/IP connection count = 58)

    Obviously these are attacks against our email server. Is there anything else I can do, other than limit the number of max connections in the exim config? I've also switched on the new exim syntax error blocking in CSF. But how long can this sort of thing continue? We've seen this ever since I installed this new server back in October.
     
  2. Archmactrix

    Archmactrix Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    The other topic mentions custom CSF rule and later on a new option in the CSF for syntax or protocol errors (LF_EXIMSYNTAX).

    This is not helpful in my own case. I have similar entries in my exim_mainlog like the topic starter here and the server was hit with this yesterday by one IP for about half an hour.

    The entries are 5148 in total for this IP for half an hour.

    Code:
    2013-12-18	16:48:52	SMTP	connection	from	[37.0.121.137]:60522	(TCP/IP	connection	count	=	1)
    [...]
    2013-12-18	17:20:47	SMTP	connection	from	[37.0.121.137]:52942	(TCP/IP	connection	count	=	8)
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,724
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Beyond limiting the number of connections permitted with Exim, it's really a matter of implementing custom firewall rules to block the attack. It's not something that the cPanel/WHM software will be able to mitigate.

    Thank you.
     
Loading...

Share This Page