The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tracking Exim connections

Discussion in 'General Discussion' started by FreedomNet, Apr 23, 2005.

  1. FreedomNet

    FreedomNet Active Member

    Joined:
    Mar 29, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Does anyone know how to get cPanel / WHM to log the IP address of connections done to EXIM. We have a long standing problem with ACL Dictionary Attacks against a couple of domains. We have installed the code ACL blocking code available at http://www.configserver.com/free/eximdeny.html

    Unfortunately, this is not really helping in our situation. We are getting hundreds of thousands of emails to the attacked domains and they are being spoofed as coming from over 5,000 different hosts. This has been going on for months so the hope of out waiting the attackers seems to be useless. We thought if we could log the IP's of the hosts connecting to EXIM, we would quickly find out what host is really sending them and we could block that host at the firewall or use IPCHAINS. Or would this approach not work.

    Any thoughts or guidance would be very much appreciated.
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    its all in your logs /var/log/exim_mainlog


    If you blocked all those ip's making dictionary attacks you will start blocking legitamate users as well

    I am not sure how chirpy's acl works but the one I use blocks the offending ip for 30 minutesat the MTA before it hits the server

    It will make no difference if you block the dictionary attackers IP they will just keep attacking even if there mail goes nowhere with fail: If you are blocking before it reaches the mail server no bandwidth used junk mail goes nowhere who cares :confused:
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    IMX, there's very little you can do when under such a sustained attack, it's basically an email DDOS. I've come across the situation only a couple of times that the attacks don't cease or slacken after a while. In those few cases the only way was to simply no longer host the domains. The problem stems from the fact that the domain(s) has/have found themselves onto spammers lists and have been propagated throughout their network. Once done, it's very difficult to get off.

    Another idea, if you need to keep the domains, is to pass the email off to a third party scanning service where they would have to burden the load, though you should research that carefully.
     
  4. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    Change your MX record to point to 127.0.0.1 for a few days, then change it back again, see if the attacks have lightened any. It may not work but will be awfully annoying for the people sending all that crap to you.

    disabled IN A 127.0.0.1
    domain.com. IN MX 0 disabled.domain.com.


    It's a nasty problem, sometimes you may have to as Chirpy mentioned, get a new domain.
    I'd give the 127.0.0.1 a try first though. ;)
     
  5. FreedomNet

    FreedomNet Active Member

    Joined:
    Mar 29, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Dalem,

    Thank you for your comments! I guess I don't understand the nature of the attack and most especially how to really prevent it.

    I believe we are stopping all the bogus emails at the MTA (we have all email accounts set to :fail: on the attacked domains) but as for not caring, that is not true the volume of attacks we are getting. The exim_mainlog is currently over a million lines long (just from had a half a day of attacks). If you look at the a top display you will see 10 to 12 active exim threads through each top iteration. Even stopping it at the MTA, it is still taking up quite a bit of resources to log all this and run through the ACL check routines for each email sent. We have even turned eximstats off to try and reduce overhead from the attacks. The attacker appears to be expanding the amount of emails they are sending in their attacks every few days and they have been at it for months. The volume we see is starting to have an impact even with the ACL routine and stopping things at the MTA so we are hopping to find better solution.

    I had assumed that with all the different host addresses (a least 3,000 different hosts in an attack cycle) we see in the exim_mainlog for the bogus emails, they could not actually be coming form those hosts and that the attacker was sending the emails masked to look like it was coming from these hosts. We are just looking for anything else we can do before they take us down just by shear volume of emails they are sending.

    Any other thoughts or ideas are greatly appreciated.
     
    #5 FreedomNet, Apr 23, 2005
    Last edited: Apr 23, 2005
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    IMX, in these situations they do genuinely come from different hosts. Basically there is a huge network of what are called "Zombie" PC's that have been infected through windows viruses and worms with backdoors that virus writers sell to spamming groups for significant amounts of money. They then use literally tens of thousands of ordinary PC's on DSL connections to send spam out making it impossibly to track to a single source.
     
  7. FreedomNet

    FreedomNet Active Member

    Joined:
    Mar 29, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the ideas! Unfortunately the sites that are being attached are commercial ecommerce clients so we can't get a new domain.

    I am intrigued by Chirpy's idea to pass the email load off to another server and will see if we can use that as an approach.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you have the resources yourself, you could even have a dedicated mail server where the MX records for the domain are pointed to which does the email spam and virus scanning. It then can use a smart router to forward the cleaned email to the web server (this is basically what a third-party service would do). If the email scanning server is a cPanel server, it's simple enough to configure in exim.
     
  9. FreedomNet

    FreedomNet Active Member

    Joined:
    Mar 29, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for taking the time to explain this. I now understand why looking for a single host culprit will not work. We'll give your idea to just off load the email for the attacked domains to a different server a try.

    THANKS again!
     
  10. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    If your blocking them before they hit the server then you are doing all you can do most of the attacks are from highjacked servers & computeres spam gangs I have one domain on my box i would guess at least 100,000+ a day The atackers do not care that there junk is going no where (its their bandwidth not mine) it has increaed over the years not decreased and blocking the ip's has no effect it just makes for large exim logs


    ejected RCPT <marriner@domain.com>: Dictionnary attack (2 failed probes). Dropping connection: no such address here


    bye bye A*7 hole but they still keep comming
     
    #10 dalem, Apr 23, 2005
    Last edited: Apr 23, 2005
  11. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    0
    Trophy Points:
    0
    There is not much you can do but wait it out. You could lesson it by changing the number of connections possible in exim.conf to say 20. Of course this will drop alot of legit connections but at the same time it will ease up on the server load because any connection over 20 will get dropped. If you have hundreds and thousands of connection those will get dropped. You will see this in exim_maillog.

    Removing the DNS records will not do anything. Even if you do, since DNS is pointing to the server it may take hours even days for propagation and by that time DOS is probably over.

    We had this situation happen and it went on for 2 days straight. I changed the connection in exim.conf to 5 and very sorry, if we inconvenienced our clients for awhile at least out box loads remained normal.
     
  12. areha

    areha Well-Known Member

    Joined:
    Oct 30, 2002
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    I have a domain that recives millions of spam messages each week, and it doesn´t get any better with time (had it for around 2-3 years now). I rented a "email-washing" company just to try, but two of their disks was destroyed after few days due to the huge traffic I created. Now, I have another spam washing company that does better, but they still sends requests to my server so there is still a load to my server due to this.

    I assume the only option is to drop the domain or to sue the companies that advertice in this way in order to cover expenses to extra hardware. Setting up a dedicated server to mail will help.
     
  13. FreedomNet

    FreedomNet Active Member

    Joined:
    Mar 29, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    We would love to know the company/person behind this but I don't know any way to get that info, if you do please let me know. These are coming from over 3,000+ different IP's and from Chirpy's info, it sounds like most of these are innocent, just infected....
     
  14. pshepperd

    pshepperd Well-Known Member

    Joined:
    Feb 12, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    Do you use Realtime Black Lists? Or is this not feasible? Also is there anything the same in the spam, that is unique? you can filter and drop it if you can find just one thing common to all of it, a certain something in the headers? a common phrase?
     
  15. FreedomNet

    FreedomNet Active Member

    Joined:
    Mar 29, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    re: using a filter

    Using a filter is not really feasible because the volume of emails would bury the server. The best thing we have found is the ACL Dictionary Attack script at http://www.configserver.com/free/eximdeny.html
    in conjunction with setting the domain defaults to :fail:
    This has done the best job of keeping things under control but the volume of attacks is getting to the point even these measures are starting to take a heavy toll on the server. We are now investigating offloading the mail service for the attacked domains to a separate server so as to isolate the impact as was mentioned earlier in the thread.
     
Loading...

Share This Page