Question Huge attack on Mailbox

[daanse]

Hi,

on one of our SSD Servers, there was some Spam sending Problem last Week ago.
The Client had some Viruses on PC and Spammer logged in with Password on that Client Mailbox.
After we changed the Password, this Botnet permanently ran against this Mailbox and after 36 hours it looked like he stopped with attack.
But today i saw it just got a little slower and we now nearly have 5k IP Adresses arround the World who trying to access that one Mailbox.

Does anyone has any Tipp what we can do? We already reported this to some federal buildings and yeah.
I can see that the Passwort Lengh is 9
Can i find out if they are using different Passwords / like brut Force? Or some other helpful informations?

We also setup some Lookup for Coordinates and Hosts and City ..... but we have Problems with Amounts of Ips comming together. I also stripped away duplicates. So these are real 5k IPs .....

Sep 12 11:53:10 ssd plesk_saslauthd[18018]: failed mail authentication attempt for user '[email protected]' (password len=9)
Sep 12 11:53:10 ssd postfix/smtpd[3987]: warning: SASL authentication failure: Password verification failed
Sep 12 11:53:10 ssd postfix/smtpd[3987]: warning: unknown[180.244.233.175]: SASL PLAIN authentication failed: authentication failure
Sep 12 11:53:11 ssd postfix/smtpd[3987]: lost connection after AUTH from unknown[180.244.233.175]
Sep 12 11:53:11 ssd postfix/smtpd[3987]: disconnect from unknown[180.244.233.175]

Any Ideads what we can do?
Actually its not disturbing Server. Its about 10% CPU maybe little less than 10%......

 

[m3lezZ]

You can use free and paid subscription blackhole lists with your server.

To switch on spam protection based on DNSBL:

1. Go to Tools & Settings > Mail Server Settings (in the Mail group).
2. Select the Switch on spam protection based on DNS blackhole lists checkbox.
3. In the DNS zones for DNSBL service input box, specify the host name that your mail server should query, for example: sbl.spamhaus.org.
4. Click OK.
   
   

Have a look here for the lists.

 

[sebgonzes]

The best way to solve problem, is configuring an firewall (as fail2ban) baning ip who have 3/5 failure login...

 

[Brujo]

there several things you can think about like fail2ban together with IPSet for example and block the failed mail authentication attempt
there are some Forum Thread around about fail2ban together with IPset because you mentioned that you see 5K Ip´s allready


unfortunatel magicspam freemium isnt available but the paid extension - this might help also to avoid such things and see also DNS Blackhole Lists

 

[daanse]

You can use free and paid subscription blackhole lists with your server.

To switch on spam protection based on DNSBL:...

Thank you, but actually i have no Problem with Spam.
Only Problems with having stupid Botnet trying to access Fail2Ban.
@sebgonzes - F2B already turned to 3 Fails back and over 1.5 Days.
With this i was able to track down 5k Ips, which seems to be a new Botnet (regarding federals).

My only Problem: Fail2Ban will go crazy someday?!

 

[daanse]

So with a DNSBL the Attacker would even not be able to TRY a Conention, as he will be directly refused?
We have setup some RBL in MagicSpam, but on this Server its free MagicSpam, not PAID Version.

 

[m3lezZ]

A Domain Name System-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is an effort to stop email spamming. It is a "blacklist" of locations on the Internet reputed to send email spam. The locations consist of IP addresses which are most often used to publish the addresses of computers or networks linked to spamming; most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists. The term "Blackhole List" is sometimes interchanged with the term "blacklist" and "blocklist".

A DNSBL is a software mechanism, rather than a specific list or policy. There are dozens of DNSBLs in existence,[1] which use a wide array of criteria for listing and delisting of addresses. These may include listing the addresses of zombie computers or other machines being used to send spam, Internet service providers (ISPs) who willingly host spammers, or those which have sent spam to a honeypot system.


- Wikipedia

 

[daanse]

Do we talk about same thing? You saw my little Maillog snipped?
I want to relieve F2B somehow. Or ask for some other Ideas. But this is not about Spam incomming or outgoing except of getting spammed with Login Fails.

 

[m3lezZ]

Protection Against Brute Force Attacks (Fail2Ban)


May you find here for what you serach?

 

[daanse]

Protection Against Brute Force Attacks (Fail2Ban)

Yeah, ahm no! Thank you.

 

[daanse]

Is there some way to figure out which passwords the Attacker tries to use?
Its plain though...

And does anyone has a regex for tracking a specific Mailbox - as the attacker now just runs 1-2 Logins and then change ip.
And if he tries just 1 Fail - its bad to have F2B just trigger fails for all with 1 Fail.

understand?

 

[tkalfaoglu]

Since you already have fail2ban running, there isn't much else you can do except reducing the number of attempts in fail2ban for mail logins, and lengthen the time it bans people.. just wait and the botnet will eventually give up. Been there, done that.. still have a company

 

[Noise]

i have set my fail2ban to
IP address ban period * 28800 seconds (8hours)
Time interval for detection of subsequent attacks * 7200 seconds (2hours)
Number of failures before the IP address is banned * 6

so it shut up for a while

 

[learning_curve]

There is a separate thread related to Brute Force Attacks HERE We have commented out the same line that's mentioned in the thread. Works very well for us. YMMV depending on server setups etc but it's worth a read.