[CentOS] Sendmail SMTP Brute-Force Attack
John Hinton
webmaster at ew3d.com
Fri Jun 15 22:08:29 UTC 2012
On 6/14/2012 8:58 PM, Gustavo Lacoste wrote:
> The problem with my server is: I use it to offer webhosting services. Some
> customers using Outlook are blocked because they use black listed ips (ips
> simply are dynamic).
>
>
That is the same problem I am dealing with. You have to set up a dual
mailserver system with outbound set to not use the blacklist used on the
inbound server or you will block some of your good users who happen to
land on a dirty IP address from time to time. The situation is the same
with SpamAssassin or any other anti-spam system in place.
Sendmail and Postfix work the same in this regard. And I'm still not
certain which one I like the most, after installing Postfix on our last
4 systems. I think the logging from Sendmail is way more logical (easier
to comprehend), but maybe that is just because I have been reading those
logs for many years.
I would still take a look at Fail2Ban. You need to be very careful with
your rules, but it is extremely flexible. You only provided about 30
seconds from your mail log. Fail2ban will look over a much greater time
spam and activate whatever blocks you enable or write. I have written
blocks based on not passing certain spam tests, such as the Spamhaus RBL
(and yes we pay for that service). But I really didn't care for our
systems to run the repeated DNS lookups. The rule blocks them at the
firewall and over time, the number of blocks has decreased as many
spammers have just quit trying. I have rules to block spammers mining
for good email addresses (some of our domains were getting 10s of
thousands of attempts per day). I also use Fail2Ban for FTP, SMTP and
just about every service login, with adjusted numbers of attempts and
shorter or longer times based on how the rules might adversely effect
one of our actual users. Higher security risk services with low volume
use by users, get blocked after fewer failed attempts and for much
longer times.
FYI, Spamhaus is blocking around 90% of all our inbound emails as spam.
That number should actually be higher, but Fail2Ban does not allow a
number of messages in due to the firewall blocks, so those don't get
figured in to that total. Spamhaus is perfect in blocking IP addresses
that positively were used to send spam, but dynamic addresses do get
caught creating some false positives.
--
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions
More information about the CentOS
mailing list