Skip to main content

SMTP attack lasting for months. What can I do?

jols
I see a constant parade of entries like this in exim_mainlog: 2013-12-19 04:41:15 SMTP connection from [202.164.47.101]:63433 (TCP/IP connection count = 51) 2013-12-19 04:41:15 SMTP connection from [91.150.70.52]:10056 (TCP/IP connection count = 52) 2013-12-19 04:41:15 SMTP connection from [122.167.40.0]:28753 lost 2013-12-19 04:41:15 SMTP connection from 36.65.2.109.rev.sfr.net [109.2.65.36]:63299 lost 2013-12-19 04:41:15 no IP address found for host static-dsl.nesma.net.sa (during SMTP connection from [85.129.205.35]:55490) 2013-12-19 04:41:15 SMTP connection from [82.80.164.41]:50177 (TCP/IP connection count = 51) 2013-12-19 04:41:15 SMTP connection from [88.215.44.129]:61336 (TCP/IP connection count = 52) 2013-12-19 04:41:15 no host name found for IP address 88.215.44.129 2013-12-19 04:41:15 SMTP connection from [2.146.82.74]:54857 (TCP/IP connection count = 53) 2013-12-19 04:41:15 no host name found for IP address 2.146.82.74 2013-12-19 04:41:15 SMTP connection from (00011ed8.fxzooterpion.us) [31.14.23.131]:53157 closed by QUIT 2013-12-19 04:41:15 no host name found for IP address 91.150.70.52 2013-12-19 04:41:16 SMTP connection from smtp-out.vclk.net [64.70.58.135]:29156 closed by QUIT 2013-12-19 04:41:16 SMTP connection from [89.91.237.135]:60371 (TCP/IP connection count = 52) 2013-12-19 04:41:16 no host name found for IP address 202.164.47.101 2013-12-19 04:41:16 SMTP connection from [101.59.153.182]:53997 (TCP/IP connection count = 53) 2013-12-19 04:41:16 no host name found for IP address 101.59.153.182 2013-12-19 04:41:16 SMTP connection from [173.184.61.186]:37823 (TCP/IP connection count = 54) 2013-12-19 04:41:16 SMTP call from h186.61.184.173.static.ip.windstream.net [173.184.61.186]:37823 dropped: too many syntax or protocol errors (last command was ""."rR{"_"RStg"?ZQ:""=V""W#qn[""!\""I"":****""_"EW}a"b""P""`") 2013-12-19 04:41:16 SMTP connection from [122.255.14.57]:2444 (TCP/IP connection count = 54) 2013-12-19 04:41:16 SMTP connection from [139.190.182.242]:17123 (TCP/IP connection count = 55) 2013-12-19 04:41:16 SMTP connection from [88.209.85.27]:21783 (TCP/IP connection count = 56) 2013-12-19 04:41:16 SMTP connection from [91.239.218.134]:48311 (TCP/IP connection count = 57) 2013-12-19 04:41:16 SMTP connection from [62.28.160.151]:55656 lost 2013-12-19 04:41:16 SMTP connection from [217.133.103.149]:50821 (TCP/IP connection count = 57) 2013-12-19 04:41:16 SMTP connection from ocs.co.id [202.169.35.82]:19153 lost 2013-12-19 04:41:16 SMTP connection from [113.169.35.235]:34844 (TCP/IP connection count = 57) 2013-12-19 04:41:16 SMTP connection from [111.240.25.98]:25178 (TCP/IP connection count = 58)
Obviously these are attacks against our email server. Is there anything else I can do, other than limit the number of max connections in the exim config? I've also switched on the new exim syntax error blocking in CSF. But how long can this sort of thing continue? We've seen this ever since I installed this new server back in October.

Comments

3 comments

Date Votes
  • cPanelMichael
    Hello :) There is a thread similar to this at: Sustained Exim Attack Thank you.
    0
  • Archmactrix
    [quote="cPanelMichael, post: 1533302">Hello :) There is a thread similar to this at: Sustained Exim Attack Thank you.
    The other topic mentions custom CSF rule and later on a new option in the CSF for syntax or protocol errors (LF_EXIMSYNTAX). This is not helpful in my own case. I have similar entries in my exim_mainlog like the topic starter here and the server was hit with this yesterday by one IP for about half an hour. The entries are 5148 in total for this IP for half an hour. 2013-12-18 16:48:52 SMTP connection from [37.0.121.137]:60522 (TCP/IP connection count = 1) [...] 2013-12-18 17:20:47 SMTP connection from [37.0.121.137]:52942 (TCP/IP connection count = 8)
    0
  • cPanelMichael
    Beyond limiting the number of connections permitted with Exim, it's really a matter of implementing custom firewall rules to block the attack. It's not something that the cPanel/WHM software will be able to mitigate. Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post