Go Down

Topic: dang SMTP hackers... (Read 1 time) previous topic - next topic

travis_farmer

i received about 790 alerts from my server, all with this

Code: [Select]
Transcript of session follows.

 Out: 220 tjfserver.ddns.net ESMTP Postfix
 In:  EHLO USER5
 Out: 250-tjfserver.ddns.net
 Out: 250-PIPELINING
 Out: 250-SIZE 10240000
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  AUTH LOGIN
 Out: 503 5.5.1 Error: authentication not enabled

Session aborted, reason: lost connection


all from IP: 213.149.137.12

so that's why my internet is bogging down... i am under attack, via brute-force to my SMTP server!
I blacklisted the IP on my firewall, but dang, WTF!  >:(

~Travis

Henry_Best

i received about 790 alerts from my server, all with this

Code: [Select]
Transcript of session follows.

 Out: 220 tjfserver.ddns.net ESMTP Postfix
 In:  EHLO USER5
 Out: 250-tjfserver.ddns.net
 Out: 250-PIPELINING
 Out: 250-SIZE 10240000
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  AUTH LOGIN
 Out: 503 5.5.1 Error: authentication not enabled

Session aborted, reason: lost connection


all from IP: 213.149.137.12

so that's why my internet is bogging down... i am under attack, via brute-force to my SMTP server!
I blacklisted the IP on my firewall, but dang, WTF!  >:(

~Travis
That IP appears to belong to Dupnica Optics in Bulgaria.

Robin2

That IP appears to belong to Dupnica Optics in Bulgaria.
Sounds like it needs looking into.

...R
Two or three hours spent thinking and reading documentation solves most programming problems.

Henry_Best

Sounds like it needs looking into.
Len's the guy for that, but Iris may also help.

TKall

Quote
Len's the guy for that, but Iris may also help.
Nothing like a little Humor...

TKall


msssltd

Surprised you made it this far without the spammers finding your server. 

Have a look into fail2ban

msssltd

If you haven't done so already, enabling the postscreen dnsbl lookup is highly recommended too. 

Henry_Best

Nothing like a little Humor...
Your comments get cornea and cornea.

TKall

Quote
Your comments get cornea and cornea.
You are clearly a pupil of wit and witticism

msssltd

#10
Jan 14, 2018, 10:22 pm Last Edit: Jan 14, 2018, 10:22 pm by msssltd
We need to focus on how to cataract the spammers

Robin2

We need to focus on how to cataract the spammers
A 5 minute delay between posts?

...R
Two or three hours spent thinking and reading documentation solves most programming problems.

msssltd

A 5 minute delay between posts?
Not going to work for brute force.

To impose a user level restriction, the user has to log in. Attempts to log in tie up server resources. Bots, repeatedly sending the wrong password, chew up resources and can effectively DoS the server, or the sysadmin reading the failure notifications.

Fail2ban intercepts log file writes.  When a log entry matches a regex and some other parameters, an event is triggered, which can be hooked to an action, like adding the source IP to the firewall block list for some period of time.  Blocking the IP at the firewall consumes far fewer resources.

What I am not clear on is why the SMTP port is open to the public in the first place.  The forum software will want/need to send mail but I can't think why it needs to receive it. If there is no need to receive mail, it would be preferable to only allow connection to the SMTP ports from 127.0.0.1


msssltd

i have it set so it won't relay for connections not in my network, so i am not particularly worried for that.
Open relays are a bit 1999.  Things have moved on.  If you only need your local network to relay, allow the subnet on the firewall and block everything else.

Sending from a dynamic IP / DDNS may give you some deliverability issues.  Best practice is to use a fixed IP with properly configured RDNS.  If you don't do that, your router IP is likely to end up on the spamhaus and/or barracuda blacklists. 

You may be able to safely use your server for store and forward.  Configure your ISP's server as a smart host and relay through your own server.  When the ISP server is down, your server holds the mail in a retry queue.

aarg

  ... with a transistor and a large sum of money to spend ...
Please don't PM me with technical questions. Post them in the forum.

Go Up