Stopping these attacks

bobcat · Dec 20, 2002

The last few nights we've been getting attacked by someone that will send a message to random names@ourdomain.com to both our mail servers. Here's an example snip of the log.. this is repeated with each attack from different IP's about 10 times a night.

Dec 18 20:21:29 mail sendmail[4089]: gBJ1LS904089: <marketing@ourdomain.com>... User unknown
Dec 18 20:21:30 mail sendmail[4089]: gBJ1LS904089: <nick@ourdomain.com>... User unknown
Dec 18 20:21:31 mail sendmail[4089]: gBJ1LS904089: <don@ourdomain.com>... User unknown
Dec 18 20:21:31 mail sendmail[4089]: gBJ1LS904089: <andy@ourdomain.com>... User unknown
Dec 18 20:21:32 mail sendmail[4089]: gBJ1LS904089: <rich@ourdomain.com>... User unknown
Dec 18 20:21:33 mail sendmail[4089]: gBJ1LS904089: <sam@ourdomain.com>... User unknown
Dec 18 20:21:34 mail sendmail[4089]: gBJ1LS904089: <ron@ourdomain.com>... User unknown
Dec 18 20:21:35 mail sendmail[4089]: gBJ1LS904089: <james@ourdomain.com>... User unknown
Dec 18 20:21:36 mail sendmail[4089]: gBJ1LS904089: <doug@ourdomain.com>... User unknown
Dec 18 20:21:37 mail sendmail[4089]: gBJ1LS904089: <ken@ourdomain.com>... User unknown
Dec 18 20:21:37 mail sendmail[4089]: gBJ1LS904089: <randy@ourdomain.com>... User unknown
Dec 18 20:21:38 mail sendmail[4089]: gBJ1LS904089: <fred@ourdomain.com>... User unknown
Dec 18 20:21:40 mail sendmail[4089]: gBJ1LS904089: <phil@ourdomain.com>... User unknown
Dec 18 20:21:40 mail sendmail[4089]: gBJ1LS904089: <6aadL5769I33410d@ourdomain.com>... User unknown
Dec 18 20:21:41 mail sendmail[4089]: gBJ1LS904089: <alan@ourdomain.com>... User unknown
Dec 18 20:21:42 mail sendmail[4089]: gBJ1LS904089: <lee@ourdomain.com>... User unknown
Dec 18 20:21:43 mail sendmail[4089]: gBJ1LS904089: <contact@ourdomain.com>... User unknown
Dec 18 20:21:44 mail sendmail[4089]: gBJ1LS904089: <larry@ourdomain.com>... User unknown
Dec 18 20:21:44 mail sendmail[4089]: gBJ1LS904089: <pete@ourdomain.com>... User unknown
Dec 18 20:21:45 mail sendmail[4089]: gBJ1LS904089: <craig@ourdomain.com>... User unknown
Dec 18 20:21:46 mail sendmail[4089]: gBJ1LS904089: <matt@ourdomain.com>... User unknown
Dec 18 20:21:46 mail sendmail[4089]: gBJ1LS904089: <jack@ourdomain.com>... User unknown
Dec 18 20:21:47 mail sendmail[4089]: gBJ1LS904089: <chuck@ourdomain.com>... User unknown
Dec 18 20:21:48 mail sendmail[4089]: gBJ1LS904089: from=<rdkwate3@yahoo.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=80-24-153-96.uc.nombres.ttd.es [80.24.153.96]

Is there some way to, after x errors in a connection, to drop the connection.. or even better, if you have too many errors call an external program, ie a script that will add that IP to the firewall's blocked IP list.

And, just a suggestion to those who have 'catchall' addresses on their domains, you might want to rethink that since if I would've had one every one of these messages would've gone through to that address :|

Thanks,
Todd

bobcat · Dec 20, 2002

Heh, right after I got done writing that message I looked at my firewall window and it seems they're at it again. Except, I had just put in all the ip's from last night into the blocked list on the firewall so they were all blocked.

Edcrosbys · Jan 16, 2003

I believe this line in your /etc/sendmail.cf will prevent people from querying your server for needless info

# privacy flags
O PrivacyOptions=authwarnings,noexpn,novrfy,goaway

BitFuzzy · Jan 18, 2003

Quick thinking.. but the problem is (been there done that) is that as word gets around about an open relay. more and more people will be logging in to send spam from you. which could at some point get your black listed. Not to mention cause your firewall scripts to become HUGE just for the added smtp blocks.

What I would suggest is either 'POPAUTH' which you can get more information on from

http://www.sendmail.org

or 'pop-before-smtp'

http://popbsmtp.sourceforge.net/

What these do, is authenticate the user by his pop login, then they get a time limit in which the system will allow them to send mail. (usually 20-30 min) Since most people check their mail at regular interivials, there shouldn't be any problem.

I use "pop-before-smtp", it's rather simple to setup, and works great.

Hope this helps

KC

bobcat · Jan 20, 2003

I'm not sure that this is the problem. These 'attacks' seem to be trying to send mail to a local user by guessing the username. We already had pop-before-smtp installed and I've recently switched from that to SMTP AUTH which seems to work even better.

I don't think its a case of open relay, but someone trying to find out a username or send mail/spam to a local user. What I was looking for was some way to drop a connection after x number of errors.

And, I checked my sendmail.cf for Edcrosbys suggested line, and I had effectively the same thing already there.

btaber · Feb 3, 2003

perhaps they are blacklisted spammers already, check out

http://spamcop.net

I have that on my server, and it bounces about 100+ emails a day..

Newposter · Feb 18, 2003

This very type of attack plagued one of my domains from mid-Nov to late Dec 2002. Then it just stopped. Like you found, they were hitting 30 or so names on my domain, every day at least, trying to find a valid one to relay through. I had set proper safeguarding to prevent relaying, so all appeared unsuccessful. Then more recently someone apparently changed the password on the accound on that domain, as I couldn't fetch mail til I changed passwords on the server and client - then all worked. They changed it again a few days later and I shut down the email domain completely.

I wouldn't be surprised if all the hacking came from some trolls on this site. Be careful what you reveal here. Newposter
"Good judgment comes from experience. Experience comes from bad judgment."

BitFuzzy · Feb 18, 2003

you've really only got 2 or 3 choices there..

I think anybody running a email server has that kind of fun at one time or another..

I haven't found any one solution that fixes all of the potential concerns.. what I've found to work, is setting up all email sent to an invalid user to be forwarded to a dummy account.. at which point it's deleted throughout the day.. that along with running pop-before-smtp..

I've noticed a big difference..

No open relay's.. hosted clients can send/receive no matter where they are located.. and nobody's able to tell a valid email from a non-existant account.

Now! if we can get congress to pass a bill allowing collection of fees for any and all un-requested 'spam' .. I'd be set for life.

*just my 2 cents.

KC

postwick · Feb 20, 2003

I've been having the same problem. I haven't been able to figure out how to get the IP of who is doing this. All my logs show are the email addresses they try to send to.

Remember, they're not using the server for spam, yet. They're just looking for valid email addresses by sending an email to every word in some database @mydomain.com and seeing which ones don't bounce back.

How can I get more info about the connections these emails are coming from?

BitFuzzy · Feb 28, 2003

postwick: in your log file, locate the log for the message in question, it'll be marked to: , somewhere before that should be a 'from:' if you read down that line, it should provide you with an ip address. Although, this doesn't mean it's actually the IP of the person responsible, it could very well be the ip of the server he's sending the mail through.

KC

postwick · Mar 1, 2003

my log looks exactly like the log in the first message in this post. it just has the date and time, the invalid email address, and "User unknown".

is there a setting somewhere to tell it to record more information about the connection?

-- Paul

BitFuzzy · Mar 1, 2003

depending on the version of linux/sendmail you are using it should be in either "/var/log/messages", or "/var/log/maillog"

You will/should see your mail activity

#### sample revceived mail log ####

Mar 1 07:48:43 ###### <~~ snipped server information

sm-mta[498]: h21CmgL9000498: from=<ie-4483988-358_-1319770307@b.fwdm
ml.com>, size=5811, class=0, nrcpts=1, msgid=<637563087.10465226
21238.23596636.ie-4483988-358_-1319770307@b.fwdml.comZ_V>, proto=ESMTP, daemon=MTA, relay=mail3.fwdml.com [64.125.180.86] <--- The IP of the "sender's relay"

From time to time, the system may also provide
" (may be forged) " to the end of the ip

look over your logs, search for 'from:' and follow the line, all the way to its end you should see ip information, of not look over your Sendmail configuration, you may need to compile a few parimeters into it.

hope this helps.

KC

mxmim · Mar 4, 2003

i dont know if this would apply to the problem at hand.

http://www.msnbc.com/modules/exports/ct_email.asp?/news/880094.asp

sinebubble · Mar 6, 2003

Same thing just happened to me today. I stuck the from domain, the relay domain and its IP address is my access list and my hosts.deny. I hate these bastards.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Stopping these attacks

bobcat

IS-IT--Management

bobcat

IS-IT--Management

Edcrosbys

ISP

BitFuzzy

Technical User

bobcat

IS-IT--Management

btaber

Programmer

Newposter

Technical User

BitFuzzy

Technical User

postwick

Programmer

BitFuzzy

Technical User

postwick

Programmer

BitFuzzy

Technical User

mxmim

MIS

sinebubble

IS-IT--Management

Similar threads

Part and Inventory Search

Sponsor