[CentOS] Sendmail SMTP Brute-Force Attack

Fri Jun 15 22:08:29 UTC 2012
John Hinton <webmaster at ew3d.com>

On 6/14/2012 8:58 PM, Gustavo Lacoste wrote:
> The problem with my server is: I use it to offer webhosting services. Some
> customers using Outlook are blocked because they use black listed ips (ips
> simply are dynamic).
>
>
That is the same problem I am dealing with. You have to set up a dual 
mailserver system with outbound set to not use the blacklist used on the 
inbound server or you will block some of your good users who happen to 
land on a dirty IP address from time to time. The situation is the same 
with SpamAssassin or any other anti-spam system in place.

Sendmail and Postfix work the same in this regard. And I'm still not 
certain which one I like the most, after installing Postfix on our last 
4 systems. I think the logging from Sendmail is way more logical (easier 
to comprehend), but maybe that is just because I have been reading those 
logs for many years.

I would still take a look at Fail2Ban. You need to be very careful with 
your rules, but it is extremely flexible. You only provided about 30 
seconds from your mail log. Fail2ban will look over a much greater time 
spam and activate whatever blocks you enable or write. I have written 
blocks based on not passing certain spam tests, such as the Spamhaus RBL 
(and yes we pay for that service). But I really didn't care for our 
systems to run the repeated DNS lookups. The rule blocks them at the 
firewall and over time, the number of blocks has decreased as many 
spammers have just quit trying. I have rules to block spammers mining 
for good email addresses (some of our domains were getting 10s of 
thousands of attempts per day). I also use Fail2Ban for FTP, SMTP and 
just about every service login, with adjusted numbers of attempts and 
shorter or longer times based on how the rules might adversely effect 
one of our actual users. Higher security risk services with low volume 
use by users, get blocked after fewer failed attempts and for much 
longer times.

FYI, Spamhaus is blocking around 90% of all our inbound emails as spam. 
That number should actually be higher, but Fail2Ban does not allow a 
number of messages in due to the firewall blocks, so those don't get 
figured in to that total. Spamhaus is perfect in blocking IP addresses 
that positively were used to send spam, but dynamic addresses do get 
caught creating some false positives.

-- 
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions