Dictionary email attacks not dropping after X attempts
What is the best method to deal with tons of unsolicited email messages from various spam senders all destined to the same email address? I have the server email settings as follows:
[QUOTE]
Dictionary attack protection:
Block dictionary attacks by dropping and ratelimiting hosts with more than 4 failed recipients
On
Ratelimit incoming connections with only failed recipients
Ratelimit incoming SMTP connections that have only sent to failed recipients five separate connection times in the last hour.
On
Yet with the above settings, nothing is dropped just sending back to sender: [QUOTE]No such person at this address.
and then finally after 30+ failures: [QUOTE]Number of failed recipients exceeded. Come back in a few hours.
Yet with the above settings, nothing is dropped just sending back to sender: [QUOTE]No such person at this address.
and then finally after 30+ failures: [QUOTE]Number of failed recipients exceeded. Come back in a few hours.
-
What does your default address look like for this domain? 0 -
It is (obfuscated): recipient@domain.com But the spammer keeps sending to: varies@domain.com "varies" changes all the time to different dictionary names, and the domain.com stays the same. 0 -
I think she meant what the setting was to handle unrouted mail, not so much what the actual address was. 0 -
I'm not too familiar with the dictionary attack protection, but it's possible that if your default address is set to anything but :fail:, it might not be triggering since the email is just being forwarded to another user. 0 -
Are you referring to the settings in WHM (not cpanel): [QUOTE]Initial default/catch-all forwarder destination Forwarding destination for a new account"s catch-all/default address. (Users may modify this value via the Default Address interface in cPanel.) "Fail" rejects the message and notifies the remote SMTP server. This is usually the best choice if you are getting mail attacks. "Blackhole" accepts and processes the message but then silently discards it. This avoids notifying the remote SMTP server but violates SMTP RFC 5321 and generally should not be used.
The language in the above explanation confuses me: What is being forwarded? A malicious user is attempting to send email to a non-existent account as a probe to find out what are the real email addresses on this server. . . what am I missing?0 -
cPanel >> Email >> Default Address. If the default address for this account is set to anything but :fail: or :blackhole:, any unrouted (non-existant user) email will be forwarded to the user/email specified. :fail: will bounce the email, :blackhole: just silently discards it. You generally want to set this to :fail: If you find that this is already set, I don't really have any other ideas for you, unfortunately. If you think the dictionary protection is not working as intended, best to open a ticket so cPanel can investigate. 0 -
In cpanel I have set for the default domain and which is the one receiving these hits: Send all unrouted email for the following domain: [QUOTE]domain.com Current Setting: :fail: deleted Discard the email while your server processes it by SMTP time with an error message. Failure Message (seen by sender) deleted 0 -
Okay. Thanks I'll dig deeper. Appreciate the insight. 0 -
This is more commonly known as "Directory Harvest Attack" [QUOTE]A Directory Harvest Attack or DHA is a technique used by spammers to find valid/existent email addresses at a domain either by using Brute force or by guessing valid e-mail addresses at a domain using different permutations of common username. Its easy for attackers to get hold of a valid email address if your organization uses standard format for official e-mail alias,
It can be blocked using 2 methods together: "By Sender Verification" and "By Reputation IP" Usually this attacks come from inexistent origin email accounts and/or blacklisted IP's. (1) WHM -> Service Configuration -> Exim Configuration Manager ----------------------------------------------------------------------------------------------- "Sender Verification" = ON "Sender Verification Callouts" = ON (Optionally, because it gives some false positives) "RBL: bl.spamcop.net" = ON "RBL: zen.spamhaus.org" = ON Any other custom RBL like: Abusix, Barracuda and RATSDyna would be ideal to have. (2) WHM -> Server Configuration -> Tweak Settings -> Email ------------------------------------------------------------------------------------- "Initial default/catch-all forwarder destination" = Blackhole (if you want to apply it Globally for all domains) or CPANEL -> Email -> "Default Adress" = :blackhole: (if you want to apply it Locally for all single domain) ======================================================== The second part is temporary needed because at this moment WHM 112.0.3 hasn't fixed an issue with their Exim RBL rules being processed after the Alias check, which doesn't block the connection of a blacklisted IP when a Sender Verifications pass, allowing this kind of attacks. Internal Case created after we reported it last month: CPANEL-42825 ========================================================0 -
Thank you @hostingmundial this is very useful! 0 -
;) 0 -
I've noticed in my logs that the following senders are being tagged as "sender verfied failed" for emails sent to my dmarc reports. I'm pretty sure these two are legitimate senders because I've seen them in the past as legitimate dmarc reports. mail-dm3nam02on2069.outbound.protection.outlook.com mail-qv1-f73.google.com Thoughts? Thanks! 0 -
deleted 0
Please sign in to leave a comment.
Comments
13 comments