Never again..It was bad and tough to fight against the Dictionary attack spamming. Either the server load will rise or
Dictionary attack
-----------------
From wikipedia :
Spammers may also use a form of dictionary attack in order to harvest e-mail addresses. For example, a spammer may send messages to adam@example.com, betty@example.com, carl@example.com, etc. Any addresses to which messages are delivered, as opposed to being bounced back, the spammer can then add to his or her sending list.
My issue was that, the attacker was spamming the domain in such a way that in matter of seconds, the cPanel server, which had the setting of smtp_accept_max = 150 will show
Connection refused from [xx.xx.xx.xx] : too many connections
not allowing other legit customers to send and receive emails. The spammers were targetting only one domain and I didnt have to go for some automate application.
RBLs were not working as expected and had to end up using acl_smtp_connect (Exim 4.53), It was dropping after a connection is made.
acl_smtp_connect = check_host
Touched two files, /etc/eximwhites and /etc/eximblacks and just after begin acl, added this
check_host:
accept
hosts = /etc/eximwhites
deny
log_message = match eximblacks
hosts = /etc/eximblacks
accept
I could configure ACL to use the RBL in the connect, but 50% of many spammer IPs being used was not on any RBL lists. So executed two piped commands as below to start with,
For adding server Ips to white list
ifconfig | grep 'inet addr' | cut -d ":" -f 2 | cut -d " " -f 1 >> /etc/eximwhites
To add spammer's IP to black list. Replace example.com with the domain under attack.
grep example.com /var/log/exim_mainlog | grep "rejected RCPT" | cut -d "[" -f 2 | cut -d "]" -f 1 | sort | uniq >> /etc/eximblacks
Do appropriate greps. This one worked for me.
wohoo. eximblacks file had 800+ IPs all on a sudden. And those IPs were rejected at the time of connection itself, before the SMTP banner or greeting sending the "550 administrative prohibition".
Cleared the log and finally restarted exim and made sure that there are no errors reported in the /var/log/exim_mainlog. All was fun after that, problem solved and no more connection refused errors. This is not a perfect solution, but worked for me.
Update : This solution again worked for me today, but this time, I had to execute the script every 15s to get things under control. There were 20000 IPs and it took me an hour. I need a better solution. Any suggestions ?
No comments:
Post a Comment