Skip to main content

Dictionary email attacks not dropping after X attempts

Comments

13 comments

  • vanessa
    What does your default address look like for this domain?
    0
  • jeffschips
    It is (obfuscated): recipient@domain.com But the spammer keeps sending to: varies@domain.com "varies" changes all the time to different dictionary names, and the domain.com stays the same.
    0
  • cPRex Jurassic Moderator
    I think she meant what the setting was to handle unrouted mail, not so much what the actual address was.
    0
  • vanessa
    I'm not too familiar with the dictionary attack protection, but it's possible that if your default address is set to anything but :fail:, it might not be triggering since the email is just being forwarded to another user.
    0
  • jeffschips
    Are you referring to the settings in WHM (not cpanel): [QUOTE]Initial default/catch-all forwarder destination Forwarding destination for a new account"s catch-all/default address. (Users may modify this value via the Default Address interface in cPanel.) "Fail" rejects the message and notifies the remote SMTP server. This is usually the best choice if you are getting mail attacks. "Blackhole" accepts and processes the message but then silently discards it. This avoids notifying the remote SMTP server but violates SMTP RFC 5321 and generally should not be used.
    The language in the above explanation confuses me: What is being forwarded? A malicious user is attempting to send email to a non-existent account as a probe to find out what are the real email addresses on this server. . . what am I missing?
    0
  • vanessa
    cPanel >> Email >> Default Address. If the default address for this account is set to anything but :fail: or :blackhole:, any unrouted (non-existant user) email will be forwarded to the user/email specified. :fail: will bounce the email, :blackhole: just silently discards it. You generally want to set this to :fail: If you find that this is already set, I don't really have any other ideas for you, unfortunately. If you think the dictionary protection is not working as intended, best to open a ticket so cPanel can investigate.
    0
  • jeffschips
    In cpanel I have set for the default domain and which is the one receiving these hits: Send all unrouted email for the following domain: [QUOTE]domain.com Current Setting: :fail: deleted Discard the email while your server processes it by SMTP time with an error message. Failure Message (seen by sender) deleted
    0
  • jeffschips
    Okay. Thanks I'll dig deeper. Appreciate the insight.
    0
  • hostingmundial
    This is more commonly known as "Directory Harvest Attack" [QUOTE]A Directory Harvest Attack or DHA is a technique used by spammers to find valid/existent email addresses at a domain either by using Brute force or by guessing valid e-mail addresses at a domain using different permutations of common username. Its easy for attackers to get hold of a valid email address if your organization uses standard format for official e-mail alias,
    It can be blocked using 2 methods together: "By Sender Verification" and "By Reputation IP" Usually this attacks come from inexistent origin email accounts and/or blacklisted IP's. (1) WHM -> Service Configuration -> Exim Configuration Manager ----------------------------------------------------------------------------------------------- "Sender Verification" = ON "Sender Verification Callouts" = ON (Optionally, because it gives some false positives) "RBL: bl.spamcop.net" = ON "RBL: zen.spamhaus.org" = ON Any other custom RBL like: Abusix, Barracuda and RATSDyna would be ideal to have. (2) WHM -> Server Configuration -> Tweak Settings -> Email ------------------------------------------------------------------------------------- "Initial default/catch-all forwarder destination" = Blackhole (if you want to apply it Globally for all domains) or CPANEL -> Email -> "Default Adress" = :blackhole: (if you want to apply it Locally for all single domain) ======================================================== The second part is temporary needed because at this moment WHM 112.0.3 hasn't fixed an issue with their Exim RBL rules being processed after the Alias check, which doesn't block the connection of a blacklisted IP when a Sender Verifications pass, allowing this kind of attacks. Internal Case created after we reported it last month: CPANEL-42825 ========================================================
    0
  • jeffschips
    Thank you @hostingmundial this is very useful!
    0
  • hostingmundial
    ;)
    0
  • jeffschips
    I've noticed in my logs that the following senders are being tagged as "sender verfied failed" for emails sent to my dmarc reports. I'm pretty sure these two are legitimate senders because I've seen them in the past as legitimate dmarc reports. mail-dm3nam02on2069.outbound.protection.outlook.com mail-qv1-f73.google.com Thoughts? Thanks!
    0
  • jeffschips
    deleted
    0

Please sign in to leave a comment.