Dear CentOS Community
Is totally clear there's no support sendmail platform today, but I need to stop SMTP brute-force attack on sendmail. My server is attacked today, my maillog look like :
4624@myserver.com>, proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1] Jun 14 19:07:01 at6412 sendmail[24627]: q5EN71jC024627: from=<>, size=3958, class=0, nrcpts=1, msgid=201206142307.q5EN710u024623@myserver.com, proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1] Jun 14 19:07:23 at6412 sendmail[24868]: q5EN7M6D024868: from=< qmarket@qmarket.cl>, size=2193, class=0, nrcpts=2, msgid=< 20120614231448.1E99A13EE5F@smtp02qmarket.qmarket.cl>, proto=ESMTP, daemon=MTA, relay=[200.1.174.121] Jun 14 19:07:24 at6412 sendmail[24961]: q5EN7OT4024961: from=< nobody@2012.123icq.cl>, size=4716, class=0, nrcpts=1, msgid=< E1SfJ8H-0005kv-JE@2012.123icq.cl>, proto=ESMTP, daemon=MTA, relay= pc1.globalmac.cl [200.29.231.61] (may be forged) Jun 14 19:07:33 at6412 sendmail[25013]: q5EN7SqK025013: from=< a.pfsvtij@yahoo.com>, size=760, class=0, nrcpts=1, msgid=< 1531549-634033-36@owfzdl.net>, proto=SMTP, daemon=MTA, relay= h095159149119.ys.dsl.sakhalin.ru [95.159.149.119] Jun 14 19:07:37 at6412 sendmail[25065]: q5EN7bCj025065: from=< en.viaimport@gmail.com>, size=4531, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=186-105-73-29.baf.movistar.cl [186.105.73.29]
I need help for STOP this spamers right now.
Thanks in advance to anyone who can guide me
With Kind Regards,
Gustavo A. Lacoste Z. Curacautín - Chile Skype: knxroot Msn & Gtalk: knx.root [at] gmail.com Home page: http://www.lacosox.org - - *Por favor, evite enviarme documentos adjuntos en formato Word o PowerPoint. Lea http://www.gnu.org/philosophy/no-word-attachments.es.html*
On 06/14/12 4:33 PM, Gustavo Lacoste wrote:
I need help for STOP this spamers right now.
Thanks in advance to anyone who can guide me
2 of the three relay IPs listed in your log fragment are listed on spamhaus' Zen combined list, http://www.spamhaus.org/zen/
this is free for use by low volume non-commercial email servers. see the terms linked on the above URL. adding the following line to your sendmail.mc file, then rebuilding the .cf and restarting sendmail would reject all mail connections from servers listed via Spamhaus.
FEATURE(dnsbl,`zen.spamhaus.org',`Message from $&{client_addr} rejected - see http://www.spamhaus.org/SBL/sbl-rationale.html') dnl
(note this file is in M4 syntax, and has to use 'funny' quoting, with a ` as the opening quote).
You can use, also, fail2ban
http://www.fail2ban.org/wiki/index.php/Sendmail http://www.fail2ban.org/wiki/index.php/HOWTOs
Work over the filter. You can set that if 'x' connection from same IP in 'y' seconds, block in firewall
The problem with my server is: I use it to offer webhosting services. Some customers using Outlook are blocked because they use black listed ips (ips simply are dynamic).
With Kind Regards,
Gustavo A. Lacoste Z. Curacautín - Chile Skype: knxroot Msn & Gtalk: knx.root [at] gmail.com Home page: http://www.lacosox.org - - *Por favor, evite enviarme documentos adjuntos en formato Word o PowerPoint. Lea http://www.gnu.org/philosophy/no-word-attachments.es.html*
2012/6/14 John R Pierce pierce@hogranch.com
On 06/14/12 4:33 PM, Gustavo Lacoste wrote:
I need help for STOP this spamers right now.
Thanks in advance to anyone who can guide me
2 of the three relay IPs listed in your log fragment are listed on spamhaus' Zen combined list, http://www.spamhaus.org/zen/
this is free for use by low volume non-commercial email servers. see the terms linked on the above URL. adding the following line to your sendmail.mc file, then rebuilding the .cf and restarting sendmail would reject all mail connections from servers listed via Spamhaus.
FEATURE(dnsbl,`zen.spamhaus.org',`Message from $&{client_addr} rejected
(note this file is in M4 syntax, and has to use 'funny' quoting, with a ` as the opening quote).
-- john r pierce N 37, W 122 santa cruz ca mid-left coast
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If you have disabled open relaying then I would look at grey listing and throttling to reduce the number of spam per hour that comes in.
Since your routing others emails there is no point in spam analysis cause your customers are probably doing it already. Just need to dissuade spammers from full throttling your edge severs.
-Ross
On Jun 14, 2012, at 8:58 PM, Gustavo Lacoste gustavo@lacosox.org wrote:
The problem with my server is: I use it to offer webhosting services. Some customers using Outlook are blocked because they use black listed ips (ips simply are dynamic).
With Kind Regards,
Gustavo A. Lacoste Z. Curacautín - Chile Skype: knxroot Msn & Gtalk: knx.root [at] gmail.com Home page: http://www.lacosox.org
*Por favor, evite enviarme documentos adjuntos en formato Word o PowerPoint. Lea http://www.gnu.org/philosophy/no-word-attachments.es.html*
2012/6/14 John R Pierce pierce@hogranch.com
On 06/14/12 4:33 PM, Gustavo Lacoste wrote:
I need help for STOP this spamers right now.
Thanks in advance to anyone who can guide me
2 of the three relay IPs listed in your log fragment are listed on spamhaus' Zen combined list, http://www.spamhaus.org/zen/
this is free for use by low volume non-commercial email servers. see the terms linked on the above URL. adding the following line to your sendmail.mc file, then rebuilding the .cf and restarting sendmail would reject all mail connections from servers listed via Spamhaus.
FEATURE(dnsbl,`zen.spamhaus.org',`Message from $&{client_addr} rejected
(note this file is in M4 syntax, and has to use 'funny' quoting, with a ` as the opening quote).
-- john r pierce N 37, W 122 santa cruz ca mid-left coast
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, Jun 14, 2012 at 7:58 PM, Gustavo Lacoste gustavo@lacosox.org wrote:
The problem with my server is: I use it to offer webhosting services. Some customers using Outlook are blocked because they use black listed ips (ips simply are dynamic).
Give them logins/passwords and only rely if the connection is authenticated.
On 6/15/12 2:03 AM, Les Mikesell wrote:
On Thu, Jun 14, 2012 at 7:58 PM, Gustavo Lacostegustavo@lacosox.org wrote:
The problem with my server is: I use it to offer webhosting services. Some customers using Outlook are blocked because they use black listed ips (ips simply are dynamic).
Give them logins/passwords and only rely if the connection is authenticated.
Hi, The solution Les Mikesell offered is also good option, use sasldb function to authenticate before relay. http://postfix.state-of-mind.de/patrick.koetter/smtpauth/sasldb_configuratio...
Thanks / Regards
On 06/14/12 5:58 PM, Gustavo Lacoste wrote:
The problem with my server is: I use it to offer webhosting services. Some customers using Outlook are blocked because they use black listed ips (ips simply are dynamic).
They should be using smtp auth over SASL, or they should be using their ISP's smarthosts for forwarding outbound mail.
On 6/14/2012 8:58 PM, Gustavo Lacoste wrote:
The problem with my server is: I use it to offer webhosting services. Some customers using Outlook are blocked because they use black listed ips (ips simply are dynamic).
That is the same problem I am dealing with. You have to set up a dual mailserver system with outbound set to not use the blacklist used on the inbound server or you will block some of your good users who happen to land on a dirty IP address from time to time. The situation is the same with SpamAssassin or any other anti-spam system in place.
Sendmail and Postfix work the same in this regard. And I'm still not certain which one I like the most, after installing Postfix on our last 4 systems. I think the logging from Sendmail is way more logical (easier to comprehend), but maybe that is just because I have been reading those logs for many years.
I would still take a look at Fail2Ban. You need to be very careful with your rules, but it is extremely flexible. You only provided about 30 seconds from your mail log. Fail2ban will look over a much greater time spam and activate whatever blocks you enable or write. I have written blocks based on not passing certain spam tests, such as the Spamhaus RBL (and yes we pay for that service). But I really didn't care for our systems to run the repeated DNS lookups. The rule blocks them at the firewall and over time, the number of blocks has decreased as many spammers have just quit trying. I have rules to block spammers mining for good email addresses (some of our domains were getting 10s of thousands of attempts per day). I also use Fail2Ban for FTP, SMTP and just about every service login, with adjusted numbers of attempts and shorter or longer times based on how the rules might adversely effect one of our actual users. Higher security risk services with low volume use by users, get blocked after fewer failed attempts and for much longer times.
FYI, Spamhaus is blocking around 90% of all our inbound emails as spam. That number should actually be higher, but Fail2Ban does not allow a number of messages in due to the firewall blocks, so those don't get figured in to that total. Spamhaus is perfect in blocking IP addresses that positively were used to send spam, but dynamic addresses do get caught creating some false positives.
Thanks guys!, John you can send me a simple filter for fail2ban+SMTP? I tried use the following filters, but this is no sufficient for my yet.
*/etc/fail2ban/filter.d/sendmail.conf*
[Definition] failregex = [<HOST>], reject.*... Relaying denied (User unknown)\n* [<HOST>] badlogin: .* [<HOST>] plaintext .* SASL reject=550 5.7.1 Blocked, look at http://cbl.abuseat.org/lookup.cgi%5C?ip=<HOST> ignoreregex =
*/etc/fail2ban/filter.d/dovecot-pop3imap.conf * [Definition] failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
With Kind Regards,
Gustavo A. Lacoste Z. Curacautín - Chile Skype: knxroot Msn & Gtalk: knx.root [at] gmail.com Home page: http://www.lacosox.org - - *Por favor, evite enviarme documentos adjuntos en formato Word o PowerPoint. Lea http://www.gnu.org/philosophy/no-word-attachments.es.html*
2012/6/15 John Hinton webmaster@ew3d.com
On 6/14/2012 8:58 PM, Gustavo Lacoste wrote:
The problem with my server is: I use it to offer webhosting services.
Some
customers using Outlook are blocked because they use black listed ips
(ips
simply are dynamic).
That is the same problem I am dealing with. You have to set up a dual mailserver system with outbound set to not use the blacklist used on the inbound server or you will block some of your good users who happen to land on a dirty IP address from time to time. The situation is the same with SpamAssassin or any other anti-spam system in place.
Sendmail and Postfix work the same in this regard. And I'm still not certain which one I like the most, after installing Postfix on our last 4 systems. I think the logging from Sendmail is way more logical (easier to comprehend), but maybe that is just because I have been reading those logs for many years.
I would still take a look at Fail2Ban. You need to be very careful with your rules, but it is extremely flexible. You only provided about 30 seconds from your mail log. Fail2ban will look over a much greater time spam and activate whatever blocks you enable or write. I have written blocks based on not passing certain spam tests, such as the Spamhaus RBL (and yes we pay for that service). But I really didn't care for our systems to run the repeated DNS lookups. The rule blocks them at the firewall and over time, the number of blocks has decreased as many spammers have just quit trying. I have rules to block spammers mining for good email addresses (some of our domains were getting 10s of thousands of attempts per day). I also use Fail2Ban for FTP, SMTP and just about every service login, with adjusted numbers of attempts and shorter or longer times based on how the rules might adversely effect one of our actual users. Higher security risk services with low volume use by users, get blocked after fewer failed attempts and for much longer times.
FYI, Spamhaus is blocking around 90% of all our inbound emails as spam. That number should actually be higher, but Fail2Ban does not allow a number of messages in due to the firewall blocks, so those don't get figured in to that total. Spamhaus is perfect in blocking IP addresses that positively were used to send spam, but dynamic addresses do get caught creating some false positives.
-- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 6/15/2012 9:10 PM, Gustavo Lacoste wrote:
Thanks guys!, John you can send me a simple filter for fail2ban+SMTP? I tried use the following filters, but this is no sufficient for my yet.
*/etc/fail2ban/filter.d/sendmail.conf*
[Definition] failregex = [<HOST>], reject.*... Relaying denied (User unknown)\n* [<HOST>] badlogin: .* [<HOST>] plaintext .* SASL reject=550 5.7.1 Blocked, look at http://cbl.abuseat.org/lookup.cgi%5C?ip=<HOST> ignoreregex =
*/etc/fail2ban/filter.d/dovecot-pop3imap.conf * [Definition] failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
First, I switched to Postfix on my last CentOS 5 and all CentOS 6 installs. These rules are from v5 boxes, but are pretty old now. My strongest rules were on CentOS 4 systems, which have been retired, trashed or recycled. Make sure they match up to your logging.
Dovecot Auth Failures:
failregex = dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
Spamhaus Failures:
failregex = sendmail.*?(?:ruleset=check_relay).* relay=<HOST> .* ?reject=550 5.7.1 Email rejected due to Unsolicited Bulk Email [xbl] policies see: http://spamhaus%5C.org/
Plug in what you want for xbl. This catches almost all of our blocks. I cannot use pbl therefor zen due to outbound from pbl listed networks. Or at least that is how I understand it. I never tried.
These systems were never what I would call production servers and apparently there was never a need to catch the user unknown errors. Unfortunately, my rules for that are gone now for Sendmail. Also, I'm not good at regexs. Pretty much I started with the exact log containing the failure and worked back from there to what I have.
I have noted that Fail2Ban maintainers seem to be supporting Postfix. I think I've been grabbing it from epel or maybe dag. Most of the rules work out of the box. But I'd never suggest that Postfix is better than Sendmail, nor would I suggest you choose one over the other.
On 6/14/12 11:33 PM, Gustavo Lacoste wrote:
Dear CentOS Community
Is totally clear there's no support sendmail platform today, but I need to stop SMTP brute-force attack on sendmail. My server is attacked today, my maillog look like :
4624@myserver.com>, proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1] Jun 14 19:07:01 at6412 sendmail[24627]: q5EN71jC024627: from=<>, size=3958, class=0, nrcpts=1, msgid=201206142307.q5EN710u024623@myserver.com, proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1] Jun 14 19:07:23 at6412 sendmail[24868]: q5EN7M6D024868: from=< qmarket@qmarket.cl>, size=2193, class=0, nrcpts=2, msgid=< 20120614231448.1E99A13EE5F@smtp02qmarket.qmarket.cl>, proto=ESMTP, daemon=MTA, relay=[200.1.174.121] Jun 14 19:07:24 at6412 sendmail[24961]: q5EN7OT4024961: from=< nobody@2012.123icq.cl>, size=4716, class=0, nrcpts=1, msgid=< E1SfJ8H-0005kv-JE@2012.123icq.cl>, proto=ESMTP, daemon=MTA, relay= pc1.globalmac.cl [200.29.231.61] (may be forged) Jun 14 19:07:33 at6412 sendmail[25013]: q5EN7SqK025013: from=< a.pfsvtij@yahoo.com>, size=760, class=0, nrcpts=1, msgid=< 1531549-634033-36@owfzdl.net>, proto=SMTP, daemon=MTA, relay= h095159149119.ys.dsl.sakhalin.ru [95.159.149.119] Jun 14 19:07:37 at6412 sendmail[25065]: q5EN7bCj025065: from=< en.viaimport@gmail.com>, size=4531, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=186-105-73-29.baf.movistar.cl [186.105.73.29]
I need help for STOP this spamers right now.
Thanks in advance to anyone who can guide me
With Kind Regards,
Gustavo A. Lacoste Z. Curacautín - Chile Skype: knxroot Msn& Gtalk: knx.root [at] gmail.com Home page: http://www.lacosox.org
Hi,
there are few solutions available to do this.
1.) install & configure fail2ban
2.) Using IP Tables: i don't know if it is applicable to you
# Fix in Place to Kick a User For 1 Minutes After Three Errors in The SMTP Session # And Limit The Number of Connections Someone Could Make With a Simple IP Tables Rule
-A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set
i trust this helps, there is another solution but you do not use Postfix.
# How many simultaneous connections any client is allowed to make to this service. smtpd_client_connection_count_limit = 3
# The maximal number of connection attempts any client is allowed to make to this service per time unit. smtpd_client_connection_rate_limit = 10
# The maximal number of message delivery requests that any client is allowed to make to this service per time unit, regardless of whether or # not Postfix actually accepts those messages. smtpd_client_message_rate_limit = 20
# The maximal number of recipient addresses that any client is allowed to send to this service per time unit, regardless of whether or not # Postfix actually accepts those recipients. smtpd_client_recipient_rate_limit = 500
# Clients that are excluded from connection count, connection rate, or SMTP request rate restrictions. smtpd_client_event_limit_exceptions = $mynetworks
Thanks
John R Pierce wrote:
On 06/15/12 9:25 AM, Shiv. Nath wrote:
1.) install& configure fail2ban
each of the connections shown in the log fragment was from a different IP. how would fail2ban help?
Interesting - I hadn't looked that closely. You're right - if it's one attack, it's a distributed one.
mark
On 06/15/2012 09:33 AM, John R Pierce wrote:
On 06/15/12 9:25 AM, Shiv. Nath wrote:
1.) install& configure fail2ban
each of the connections shown in the log fragment was from a different IP. how would fail2ban help?
If you were to switch to postfix, I believe that postscreen may be able to handle this type of spambot attack. http://www.postfix.org/postscreen.8.html Unless you happen to already be a sendmail guru, my sense is that postfix is easier to configure to deal with these complex situations.
Nataraj
On Fri, Jun 15, 2012 at 11:25 AM, Shiv. Nath prabhpal@digital-infotech.net wrote:
I need help for STOP this spamers right now.
Thanks in advance to anyone who can guide me
[...]
i trust this helps, there is another solution but you do not use Postfix.
Sendmail is nearly infinitely configurable - and not all that complicated if you do it in sendmail.mc instead of .cf. But, the really quick fix is to drop in a couple of milters. milter-greylist is in the rpmforge repo and will tempfail everything the first time it sees a new sender (exceptions/timing configurable, of course). Most spammers don't retry, all real mail servers do, so at the expense of an occasional delivery delay you avoid most of the problem. MimeDefang is in both EPEL and rpmforge. It lets you control most sendmail operations in a small snipped of perl and allows you to run any tests you want, including rbls and spamassassin before the message is accepted at the smtp level. MimeDefang is flexible enough that you could add your own greylisting there, but it isn't included out of the box (but the author has a commercial solution that is more complete).
Shiv. Nath wrote:
On 6/14/12 11:33 PM, Gustavo Lacoste wrote:
Dear CentOS Community
Is totally clear there's no support sendmail platform today, but I need to stop SMTP brute-force attack on sendmail. My server is attacked today, my maillog look like :
4624@myserver.com>, proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1] Jun 14 19:07:01 at6412 sendmail[24627]: q5EN71jC024627: from=<>, size=3958, class=0, nrcpts=1, msgid=201206142307.q5EN710u024623@myserver.com, proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1]
<snip>
I need help for STOP this spamers right now.
there are few solutions available to do this.
1.) install & configure fail2ban
2.) Using IP Tables: i don't know if it is applicable to you
<snip> I strongly encourage you to use fail2ban. Which, btw, rewrites iptables rules on the fly....
Speaking of which... are other folks seeing a low-level (that is, hit, try later, hit, try later, etc, over weeks, rather than trytrytrytrytrytrytry in one shot) from inetnum: 91.201.64.0 - 91.201.67.255 netname: Donekoserv descr: DonEkoService Ltd country: RU
This is explicitly against PMA, which I gather, is apache-pma.
mark
-
Diego Sanchez -
Gustavo Lacoste -
John Hinton -
John R Pierce -
Les Mikesell -
m.roth@5-cent.us -
Nataraj -
Ross Walker -
Shiv. Nath