dang SMTP hackers...

i received about 790 alerts from my server, all with this

Transcript of session follows.

 Out: 220 tjfserver.ddns.net ESMTP Postfix
 In:  EHLO USER5
 Out: 250-tjfserver.ddns.net
 Out: 250-PIPELINING
 Out: 250-SIZE 10240000
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  AUTH LOGIN
 Out: 503 5.5.1 Error: authentication not enabled

Session aborted, reason: lost connection

all from IP: 213.149.137.12

so that's why my internet is bogging down... i am under attack, via brute-force to my SMTP server!
I blacklisted the IP on my firewall, but dang, WTF! >:(

~Travis

travis_farmer:
i received about 790 alerts from my server, all with this

Transcript of session follows.

Out: 220 tjfserver.ddns.net ESMTP Postfix
In:  EHLO USER5
Out: 250-tjfserver.ddns.net
Out: 250-PIPELINING
Out: 250-SIZE 10240000
Out: 250-VRFY
Out: 250-ETRN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In:  AUTH LOGIN
Out: 503 5.5.1 Error: authentication not enabled

Session aborted, reason: lost connection




all from IP: 213.149.137.12

so that's why my internet is bogging down... i am under attack, via brute-force to my SMTP server!
I blacklisted the IP on my firewall, but dang, WTF! >:( 

~Travis

That IP appears to belong to Dupnica Optics in Bulgaria.

Henry_Best:
That IP appears to belong to Dupnica Optics in Bulgaria.

Sounds like it needs looking into.

...R

Robin2:
Sounds like it needs looking into.

Len's the guy for that, but Iris may also help.

Len's the guy for that, but Iris may also help.

Nothing like a little Humor...

You should call them.

Surprised you made it this far without the spammers finding your server.

Have a look into fail2ban

If you haven't done so already, enabling the postscreen dnsbl lookup is highly recommended too.

TKall:
Nothing like a little Humor...

Your comments get cornea and cornea.

Your comments get cornea and cornea.

You are clearly a pupil of wit and witticism

We need to focus on how to cataract the spammers

msssltd:
We need to focus on how to cataract the spammers

A 5 minute delay between posts?

...R

Robin2:
A 5 minute delay between posts?

Not going to work for brute force.

To impose a user level restriction, the user has to log in. Attempts to log in tie up server resources. Bots, repeatedly sending the wrong password, chew up resources and can effectively DoS the server, or the sysadmin reading the failure notifications.

Fail2ban intercepts log file writes. When a log entry matches a regex and some other parameters, an event is triggered, which can be hooked to an action, like adding the source IP to the firewall block list for some period of time. Blocking the IP at the firewall consumes far fewer resources.

What I am not clear on is why the SMTP port is open to the public in the first place. The forum software will want/need to send mail but I can't think why it needs to receive it. If there is no need to receive mail, it would be preferable to only allow connection to the SMTP ports from 127.0.0.1

travis_farmer:
i have it set so it won't relay for connections not in my network, so i am not particularly worried for that.

Open relays are a bit 1999. Things have moved on. If you only need your local network to relay, allow the subnet on the firewall and block everything else.

Sending from a dynamic IP / DDNS may give you some deliverability issues. Best practice is to use a fixed IP with properly configured RDNS. If you don't do that, your router IP is likely to end up on the spamhaus and/or barracuda blacklists.

You may be able to safely use your server for store and forward. Configure your ISP's server as a smart host and relay through your own server. When the ISP server is down, your server holds the mail in a retry queue.

What is SMTP?

  • Transfer -

(TCP is the "transport")

:smiling_imp: