Email Dictionary Attack
hello
for about 2 days now, whm has been trying to send random mails to email addresses that we do not have.
"No such person at this address" in whm
After 100 mails
Number of failed recipients exceeded. Come back in a few hours.
it shows as in the attachment.
Mails sent to us with dictionary attack are cut off at 100.
When I look at the IPs, they all appear as spam IPs in abuipdb.
I wonder how I can prevent this situation.
in whm
Dictionary attack protection > on
Ratelimit suspicious SMTP servers > on
Ratelimit incoming connections with only failed recipients > on
in the case.
for example, can we block an SMTP server that tries to send us an erroneous mail at 10 mails instead of 100?
or how can we solve this problem completely.
Regards
-
Benjamin D. - is the same as what you're seeing?
0 -
Yes. Duplicate of: https://support.cpanel.net/hc/en-us/community/posts/29587818762263/comments/29621643670423
Mehmet Ozcelik, your server is being targeted by spammers. You should not really worry for now as your screenshot depicts all of them being rejected. If I were you, I'd collect all the IP addresses and then add them to your firewall to completely reject their packets and save a little bit of CPU and bandwidth (and to prevent them to come back after 1 hour). Oh, and make sure that in your WHM, under Tweak Settings, you set "Initial default/catch-all forwarder destination" to FAIL or BLACKHOLE. Do *NOT* set that option to "SYSTEM ACCOUNT". If you leave it as "SYSTEM ACCOUNT", your hard drive will fill up with spam!
To me, this is a new attack vector. I haven't really had that many over the last months. 2024 has been an incredible year for hacking where tons of DDoS attacks and other distributed/decentralized attacks have soared. Anyway, over the last 3-4 months, they were targeting Apache way more than other ports (to DoS web services and websites). But since yesterday, I fear that if they attack Exim more often, then at some point it will disrupt the legitimate email services for real communications.
0 -
Hello
"Initial default/catch-all forwarder destination" setting is fail, I am sending it in the picture.I have been dealing with these dictionary attacks for 2-3 days
Could you find the setting that keeps these attacks at 100?
Maximum message recipients (soft limit) (Minimum: 1; Maximum: 100) [?]
Maximum message recipients before disconnect (hard limit) (Minimum: 1; Maximum: 100) [?]
Can these settings help to prevent them?
I would like to limit it at least at 10 or 20, not 100.0 -
Unfortunately, there is currently no such setting in WHM... it's really outdated in terms of security. But hopefully, over the next few years, they might add such an option.
For now, until another genius idea comes in, the best course of action is to collect all the IP addresses after the fact and blacklist them so they can never come back. This will help reduce the load on your server, but you will have to invest a few hours a week to do the work manually. I can share my list here as I made an intelligence script to automatically collect them. I can also manually read everything they've requested (their grepped log) too if I need to share the proof for each one.
This is almost exactly the last 24 hours worth of IP addresses that each sent 100 Exim requests, so roughly 82.5K requests in total in 24 hours:
1.28.80.2
1.30.20.98
1.31.80.166
1.31.80.222
1.180.97.138
(...scroll down for an updated list...)Hope it helps you. Add all of those to your firewall and you will see the load reduce a little bit. I think there will be A LOT MORE than just that over the next few days or weeks so continue to blacklist them. We should make a public page on GitHub to put all of them at the same place or something.
0 -
hello thank you very much for your help.
in exim advanced configuration
smtp_accept_max
smtp_accept_max_per_connection
smtp_accept_max_per_connectioncan't it be solved or limited with the settings.
have you tried these
I don't know much and I don't want to do something wrong.All of these IPs are listed in abuseipdb
Can we get rid of this if we integrate the abuseipdb list into csf?
But there are too many IP addresses in abuseipdb. Have you ever used it? Is there anything that negatively affects performance?1 -
Wow thanks for pointing this out! This looks promising :)
I see "smtp_accept_queue_per_connection" but on our server here, it's always been set to 30, which proves that this setting has nothing to do with the issue at hand (each IP can make 100 calls before our server closes the connection, not 30)
I have not tried "smtp_accept_max_per_connection" and nobody at cPanel told me about that setting. Do you think that's where the 100 limit comes from? Maybe we could reduce this setting down to 10? Why on Earth is WHM's default value 100 when Exim's default value is 20? Why cPanel? WHY? This reminds me of the absolutely useless (and dangerous) PHP-FPM default WHM values that should be increased by 100x at least.
About your other question: Yes, I use AbuseIPDB extensively, every day, multiple times a day. There exists more than 1 BILLION (1,000,000,000) reported IP addresses on AbuseIPDB, so good luck blocking ALL of them... it's not really possible, because it would take a very high end hardware firewall with LOTS AND LOTS of rules... something like a 10,000$ pfSense firewall or something like that... it's not worth it. Our small hardware firewall in the datacentre where we are hosted currently blocks about 150 million IP addresses, mostly in China (and in some other parts of the world as well) but all the rest is done in CSF (software firewall). I believe if you pay 25$/month on AbuseIPDB, you can get the real time block list, but the issue is that there are so many millions of IP addresses (and they change constantly) that you will not be able to block all of them in software. It would take a very high end ($$$) server with extremely fast CPU to block a billion IP addresses with iptables (CSF).
I have set "smtp_accept_max" to 20 instead of 100, saved to restart Exim and I will let you know in 10 minutes if it made a difference. EDIT: Nope, it still does 100 requests back to back. It didn't change anything.
0 -
smtp_accept_max_per_connection
The value of this option limits the number of MAIL commands that Exim is prepared to accept over a single SMTP connection, whether or not each command results in the transfer of a message. After the limit is reached, a 421 response is given to subsequent MAIL commands. This limit is a safety precaution against a client that goes mad (incidents of this type have been seen).smtp_accept_max_per_host
This option restricts the number of simultaneous IP connections from a single host (strictly, from a single IP address) to the Exim daemon. The option is expanded, to enable different limits to be applied to different hosts by reference to $sender_host_address. Once the limit is reached, additional connection attempts from the same host are rejected with error code 421. This is entirely independent of smtp_accept_reserve. The option's default value of zero imposes no limit. If this option is set greater than zero, it is required that smtp_accept_max be non-zero.Warning: When setting this option you should not use any expansion constructions that take an appreciable amount of time. The expansion and test happen in the main daemon loop , in order to reject additional connections without forking additional processes (otherwise a denial-of-service attack could cause a vast number or processes to be created). While the daemon is doing this processing, it cannot accept any other incoming connections.
I think this It can be with one of the 2 settings.
But doesn't choosing one of these 2 settings make the smtp_accept_max setting useless?
In our case, which one would be more logical to set to keep the incoming brute force mails at 20-25 instead of 100?
Of course, without endangering normal traffic
If you have any ideas on this matter, I would be happy if you could guide me.
0 -
Here's a small update after roughly 48 hours. So there were 1215 unique IP addresses from all around the world, totalling at least 125,000 Exim calls (note that some have had the time after an hour passed to try for another 100 calls before they got blacklisted) :
1.7.229.162
1.28.80.2
1.30.20.98
1.31.80.166
1.31.80.222
1.180.97.138
1.180.230.98
1.220.198.126
1.227.228.136
1.236.156.129
1.244.246.221
1.245.207.104
1.247.245.61
1.252.63.242
2.35.217.44
2.37.223.58
2.54.85.220
2.55.89.171
2.55.100.104
2.55.125.200
2.57.219.2
2.58.136.167
2.74.192.198
4.35.66.243
5.11.164.165
5.11.205.135
5.30.215.71
5.59.141.152
5.130.173.74
5.140.212.144
5.166.68.89
5.228.92.193
5.228.183.178
5.228.241.15
8.20.22.58
14.0.199.165
14.6.16.137
14.37.206.76
14.43.137.90
14.45.217.249
14.48.227.118
14.52.103.241
14.54.22.11
14.88.228.202
14.98.28.43
14.195.60.142
20.46.45.121
23.87.34.133
23.94.179.104
24.97.253.246
24.115.19.225
24.121.0.66
24.143.127.69
24.143.127.70
24.143.127.71
24.162.16.2
24.187.213.29
24.194.9.65
24.224.123.153
24.237.119.118
31.0.8.92
31.43.202.110
31.134.243.37
31.141.253.119
31.173.2.172
31.173.66.222
31.207.252.124
31.220.168.116
34.29.104.32
34.41.211.48
34.126.114.239
34.146.217.105
34.146.248.7
35.130.111.98
35.130.133.206
35.243.68.66
36.7.155.16
36.26.63.158
36.33.201.45
36.34.244.190
36.37.181.181
36.39.140.2
36.110.161.134
36.134.78.151
36.134.78.162
36.135.125.196
36.138.132.109
36.154.134.146
37.57.69.227
37.139.107.136
37.151.71.8
37.204.170.200
37.204.174.45
37.204.237.3
37.205.73.112
37.208.97.2
37.224.119.19
37.230.147.250
38.20.111.164
38.28.125.96
38.74.201.90
38.79.83.28
38.230.100.252
39.88.252.16
39.109.127.195
39.125.67.109
39.129.25.70
39.129.128.108
39.152.13.143
39.152.120.40
39.164.127.195
39.165.154.222
39.165.236.12
39.170.5.210
39.185.89.241
41.38.151.24
41.59.228.160
41.63.165.61
41.67.143.142
41.93.113.138
41.157.32.129
41.159.145.190
41.214.10.178
41.220.3.101
41.224.62.206
42.1.117.226
42.123.122.103
42.177.209.66
42.200.70.134
42.200.75.233
43.154.94.85
45.71.58.25
45.71.58.130
45.117.10.134
45.136.193.248
45.170.50.2
45.179.144.38
45.201.140.227
45.225.194.121
45.229.19.184
45.250.249.12
45.251.108.124
46.14.24.50
46.21.240.186
46.29.121.110
46.30.161.197
46.44.5.135
46.50.205.61
46.52.219.58
46.146.210.180
46.153.85.132
46.161.196.5
46.162.74.47
46.162.112.159
46.173.45.180
47.38.136.162
47.41.69.130
47.181.1.49
47.206.95.195
48.218.170.53
49.249.76.221
50.24.152.80
50.81.70.80
50.82.12.128
50.83.38.15
50.96.82.149
50.171.64.170
50.188.204.213
50.195.20.138
50.201.37.210
50.203.77.30
50.223.176.171
57.132.150.162
58.16.8.106
58.16.215.241
58.18.42.74
58.18.64.54
58.18.90.114
58.18.90.250
58.18.103.142
58.18.212.238
58.22.255.28
58.33.109.90
58.34.174.90
58.49.113.138
58.53.131.26
58.57.154.146
58.115.14.128
58.115.15.172
58.115.53.66
58.122.255.2
58.122.255.6
58.210.188.130
58.216.101.162
58.216.174.226
58.226.255.240
58.229.51.205
58.230.236.86
58.234.165.73
58.242.71.107
58.242.86.203
58.248.169.140
59.1.214.102
59.2.14.33
59.2.141.155
59.4.255.205
59.7.203.177
59.9.38.92
59.10.79.34
59.34.17.130
59.41.197.10
59.99.153.21
59.175.201.58
60.8.50.150
60.8.223.58
60.14.36.47
60.18.139.82
60.28.60.82
60.29.127.226
60.31.181.219
60.38.209.122
60.38.209.189
60.38.211.155
60.45.44.122
60.45.47.167
60.45.179.200
60.166.8.174
60.168.131.3
60.171.137.226
60.171.237.143
60.172.1.210
60.172.41.103
60.173.105.206
60.173.114.254
60.174.40.155
60.175.91.53
60.175.146.138
60.212.0.13
60.219.117.186
60.240.204.168
60.246.112.254
60.246.118.115
60.249.207.53
61.42.133.74
61.51.81.78
61.69.142.186
61.76.58.118
61.77.220.62
61.81.133.182
61.81.151.97
61.108.83.139
61.112.103.62
61.112.103.148
61.113.230.9
61.118.248.19
61.118.248.70
61.118.249.89
61.118.251.193
61.143.241.150
61.150.88.22
61.150.123.106
61.153.208.38
61.160.105.66
61.169.6.99
61.169.31.242
61.169.54.150
61.169.112.210
61.185.30.170
61.185.226.70
61.185.226.122
61.185.226.142
61.233.4.50
61.254.93.70
62.28.66.78
62.76.95.152
62.201.228.210
62.238.192.121
63.47.149.59
64.124.145.199
64.188.169.248
65.76.26.86
65.76.31.73
65.76.106.187
66.11.25.195
67.55.189.215
67.210.179.14
68.15.163.18
68.117.168.44
68.191.253.130
69.242.149.240
70.89.33.235
70.92.33.198
70.95.150.16
70.112.71.128
70.118.112.230
70.122.139.172
70.166.207.76
70.169.19.43
71.29.196.170
71.90.34.32
71.229.1.186
72.17.90.246
72.26.178.196
72.134.3.252
72.175.194.139
72.180.113.155
72.240.121.31
72.250.23.208
73.95.42.162
73.106.172.226
73.134.126.162
73.231.102.189
74.196.184.120
74.208.177.56
75.80.65.214
75.110.132.232
75.152.225.154
76.77.25.196
76.169.81.36
76.176.206.19
76.176.207.24
76.176.252.225
76.178.103.119
77.37.174.248
77.50.134.183
77.53.111.65
77.53.235.246
77.85.52.109
77.94.125.250
77.109.33.120
78.36.41.213
78.108.186.10
78.125.64.126
78.142.41.167
79.10.53.104
79.132.125.226
79.137.78.40
80.15.180.102
80.76.161.99
80.112.141.230
80.244.83.178
80.250.155.76
81.13.62.77
81.16.170.117
81.22.58.11
81.211.77.58
82.84.122.203
82.102.188.117
82.102.189.42
82.193.120.203
82.193.121.147
82.204.162.116
83.136.176.12
83.220.255.230
83.233.30.104
83.237.42.54
83.239.84.130
84.52.89.218
84.54.115.46
84.240.224.102
84.254.132.62
85.19.195.12
85.29.203.126
85.130.181.81
85.130.200.51
85.130.207.117
85.174.139.107
85.237.57.200
87.103.126.54
87.103.210.232
87.197.137.162
87.248.1.199
88.18.126.17
89.38.102.187
89.40.72.101
89.67.38.27
89.101.36.159
89.144.187.114
89.153.62.100
89.160.38.13
89.207.218.10
89.253.90.113
90.161.217.228
90.173.78.90
90.188.40.123
90.189.180.243
90.230.168.26
91.74.186.57
91.103.248.120
91.116.42.218
91.219.196.17
91.239.23.149
91.244.113.178
92.124.143.165
92.255.196.185
93.64.212.219
93.174.229.206
94.61.7.100
94.154.82.35
94.158.46.233
94.190.222.124
94.205.86.48
95.0.252.72
95.0.252.76
95.0.252.78
95.31.15.104
95.57.104.252
95.79.57.221
95.84.148.71
95.85.112.170
95.87.225.236
95.87.248.223
95.141.228.9
95.165.151.19
95.174.99.133
95.220.25.124
95.221.220.196
96.1.40.151
96.79.174.131
97.70.129.101
98.102.148.242
98.110.70.2
98.111.139.88
98.152.108.61
98.220.97.188
101.13.3.72
101.13.5.49
101.71.39.143
102.50.245.141
102.221.64.10
102.223.154.170
103.48.194.21
103.56.115.66
103.65.227.12
103.68.38.78
103.68.52.210
103.69.9.250
103.79.174.147
103.79.175.115
103.81.208.4
103.83.9.138
103.91.74.187
103.93.37.178
103.99.15.104
103.123.114.215
103.123.234.219
103.124.54.14
103.145.27.1
103.146.233.121
103.146.233.163
103.147.62.171
103.148.216.116
103.156.231.20
103.171.168.246
103.181.81.149
103.182.161.206
103.187.195.104
103.190.91.20
103.190.91.98
103.190.91.113
103.196.30.122
103.199.209.60
103.219.154.156
103.231.163.154
103.235.76.1
103.246.45.57
104.37.79.117
104.157.40.219
105.16.161.35
105.235.100.6
106.12.254.47
106.51.220.33
106.86.209.86
106.107.173.49
106.107.229.232
106.213.83.20
106.213.87.199
106.246.6.133
106.246.89.66
106.246.89.67
106.246.89.68
106.255.231.10
107.182.90.67
108.18.206.153
109.67.154.24
109.106.136.152
109.167.140.130
109.195.69.156
110.7.52.183
110.14.192.20
110.25.103.200
110.25.105.223
110.25.105.224
110.25.105.235
110.25.107.43
110.25.107.44
110.34.111.22
110.35.63.30
110.38.70.172
110.77.137.236
110.172.156.150
110.175.220.250
110.182.203.89
111.39.167.59
111.39.212.68
111.50.70.34
111.70.13.240
111.70.14.135
111.70.18.246
111.70.19.8
111.70.20.166
111.70.26.230
111.70.29.130
111.70.32.47
111.70.32.51
111.70.32.180
111.70.32.191
111.70.39.163
111.70.48.27
111.70.49.105
111.70.49.184
111.91.178.253
111.171.127.190
111.172.120.32
111.193.167.212
111.207.231.65
111.220.135.93
114.31.8.202
114.98.63.18
114.108.126.228
114.108.127.188
114.130.181.74
114.143.75.66
114.202.80.152
114.216.5.134
114.221.2.199
114.241.245.198
114.242.61.35
114.243.136.120
114.250.93.159
115.23.23.103
115.23.241.161
115.46.88.68
115.66.129.26
115.75.35.251
115.75.188.242
115.78.106.223
115.88.121.73
116.48.138.69
116.48.142.242
116.48.143.166
116.48.147.155
116.50.246.69
116.59.8.61
116.72.9.151
116.86.200.16
116.88.154.47
116.92.208.12
116.112.6.186
116.113.253.142
116.113.253.178
116.114.84.234
116.114.84.242
116.114.84.246
116.114.94.242
116.114.97.10
116.124.241.138
116.124.241.142
116.132.42.170
116.132.43.94
116.228.195.251
116.231.84.13
116.251.49.106
118.38.239.52
118.45.101.159
118.70.227.203
118.91.176.138
118.91.176.243
118.122.252.141
118.130.168.66
118.131.175.66
118.212.38.130
120.194.50.39
120.202.24.117
120.224.15.67
121.7.26.195
121.11.145.81
121.11.160.60
121.15.177.173
121.22.99.2
121.66.63.188
121.66.63.189
121.66.124.149
121.134.31.193
121.141.194.159
121.142.146.167
121.147.25.111
121.154.90.17
121.154.90.47
121.164.135.251
121.167.217.147
121.174.189.52
121.179.93.147
121.186.131.108
121.189.226.81
121.202.152.7
121.202.152.13
121.202.152.24
121.202.152.82
121.202.152.100
121.202.152.102
121.202.152.115
121.202.152.221
121.202.153.19
121.202.153.62
121.202.153.100
121.202.153.126
121.202.153.186
121.202.153.211
121.202.154.25
121.202.154.40
121.202.154.63
121.202.154.100
121.202.154.213
121.202.154.250
121.202.155.10
121.202.155.16
121.202.155.34
121.202.155.79
121.202.155.118
121.202.155.182
121.202.155.250
121.202.195.103
121.202.196.6
121.202.197.40
121.202.200.31
121.202.200.218
121.202.201.109
121.202.203.93
121.202.203.100
121.202.207.60
121.202.208.245
122.11.169.112
122.148.199.165
122.148.252.147
122.151.131.211
122.160.68.46
122.160.115.90
122.160.156.85
122.160.164.28
122.160.221.59
122.163.122.138
122.165.137.159
122.165.253.142
122.166.68.89
122.166.69.211
122.169.205.218
122.170.4.225
122.170.111.140
122.176.149.10
122.187.227.24
122.187.227.144
122.187.227.152
122.187.227.193
122.187.229.190
122.187.229.247
122.187.230.75
122.187.230.205
122.187.241.61
122.187.243.95
122.187.246.78
122.193.106.140
122.224.164.194
122.225.203.106
122.227.77.118
122.227.206.42
122.228.225.21
124.74.9.190
124.101.250.121
124.101.250.238
124.101.251.78
124.115.168.106
124.115.217.162
124.132.61.213
124.136.29.20
124.148.208.140
124.160.45.26
124.225.185.148
124.246.92.77
124.246.94.219
125.20.46.114
125.21.141.54
125.39.138.229
125.69.76.148
125.139.124.120
125.140.244.144
125.142.39.13
125.228.225.91
128.75.227.38
128.106.196.150
129.146.148.173
129.205.14.196
130.185.96.125
131.148.0.202
134.22.116.38
136.34.165.114
136.36.155.187
136.38.202.60
136.49.61.211
137.59.94.130
138.36.24.33
138.75.118.229
138.75.226.104
138.186.174.166
138.207.254.114
142.59.214.64
144.48.49.72
144.123.36.138
149.0.19.108
151.83.71.207
151.252.197.3
153.0.134.10
153.141.40.159
153.141.42.207
153.141.56.175
153.141.144.20
153.141.148.106
153.141.148.190
153.141.152.193
153.141.156.44
153.141.224.46
153.141.225.169
153.141.226.108
153.141.231.117
153.141.233.245
153.141.234.139
153.141.239.133
153.141.244.78
153.141.245.102
154.118.162.194
154.127.43.35
156.19.80.138
157.20.228.20
158.140.37.181
158.140.38.21
158.174.233.64
160.248.75.108
160.248.75.116
160.251.121.70
161.49.225.218
162.186.17.150
162.246.30.55
162.252.18.246
165.56.11.206
165.220.169.113
166.169.117.118
166.195.195.159
166.195.195.160
166.195.197.38
167.250.118.53
168.226.218.185
170.81.14.113
170.133.232.100
171.34.73.139
171.244.40.236
171.244.63.34
171.244.63.170
171.244.142.135
172.90.128.97
172.250.225.23
173.20.253.109
173.29.118.52
173.95.123.220
173.167.115.17
173.186.33.55
173.225.53.149
175.17.46.166
175.100.107.238
175.117.144.158
175.119.20.149
175.156.80.166
175.156.90.182
175.156.115.211
175.156.124.94
175.156.125.94
175.156.139.195
175.156.154.149
175.180.129.87
175.198.18.3
175.198.73.174
175.202.82.16
175.202.82.251
175.203.245.102
175.205.126.214
175.206.113.91
175.207.226.216
175.207.243.95
175.210.84.220
176.113.248.3
176.121.214.105
176.172.239.193
176.212.190.170
176.222.190.69
176.222.190.70
176.226.173.151
177.6.235.62
177.94.206.187
177.125.22.55
177.174.88.241
177.174.105.113
177.174.122.213
177.200.160.158
177.202.1.58
177.207.248.5
177.222.38.9
178.25.73.199
178.35.155.182
178.38.235.47
178.49.60.24
178.76.69.221
178.140.162.227
178.140.191.131
178.150.135.19
178.178.127.114
178.178.194.128
178.178.194.135
178.178.194.137
178.178.222.53
178.178.222.58
179.42.124.80
179.51.0.170
179.125.124.14
179.127.197.89
179.181.133.153
179.185.1.177
179.185.227.77
179.236.213.190
180.7.117.7
180.7.119.68
180.7.128.91
180.7.153.106
180.7.156.43
180.7.157.26
180.7.158.220
180.7.159.114
180.7.176.16
180.7.176.104
180.7.179.114
180.7.188.10
180.7.188.225
180.7.189.49
180.7.190.87
180.7.191.106
180.69.30.93
180.88.96.37
180.94.65.174
180.94.74.150
180.97.90.143
180.104.103.146
180.168.60.146
180.168.119.2
180.188.140.198
180.188.253.150
180.218.102.225
180.222.166.212
181.164.147.150
181.189.61.189
182.42.113.10
182.70.120.127
182.76.71.82
182.76.87.90
182.135.66.27
182.151.45.136
182.156.142.238
182.163.122.133
182.176.125.34
182.176.149.53
185.6.81.48
185.15.189.232
185.30.14.122
185.101.16.250
185.123.78.13
185.129.114.190
185.148.218.235
185.167.56.2
185.167.56.34
185.167.58.9
185.167.208.3
185.181.41.120
185.199.98.51
185.221.198.75
185.255.47.190
185.255.211.124
185.255.212.178
186.23.209.47
186.73.22.66
186.96.101.124
186.148.187.146
186.179.80.12
186.200.249.162
186.201.54.90
186.215.107.189
186.238.43.146
186.239.41.74
186.247.192.94
186.247.196.106
187.8.107.198
187.9.3.190
187.12.2.110
187.19.47.79
187.50.67.114
187.50.178.142
187.72.128.185
187.76.174.254
187.93.153.166
187.123.72.205
187.161.14.83
187.161.226.88
188.17.149.213
188.43.232.65
188.59.88.234
188.59.178.35
188.127.16.197
188.152.225.58
188.168.12.14
188.168.86.6
188.219.104.210
188.226.47.211
188.226.132.113
189.6.78.182
189.39.187.16
189.56.178.158
189.97.236.1
189.108.147.210
189.109.93.50
189.115.93.183
189.218.168.67
190.0.126.91
190.104.199.251
190.181.19.131
190.182.168.21
190.182.230.76
190.211.250.122
191.0.69.202
191.5.98.222
191.36.149.230
191.36.154.175
191.36.155.116
191.36.156.14
191.36.157.111
191.36.157.125
191.56.107.53
191.241.247.150
191.243.79.22
192.34.128.202
193.93.156.147
193.150.87.70
194.26.226.55
194.28.91.40
194.31.8.12
194.53.177.61
194.53.178.132
194.53.179.95
194.53.179.161
194.85.69.22
194.87.152.161
195.133.158.175
195.158.19.6
195.158.26.59
195.198.101.47
195.239.164.190
196.25.113.218
196.28.226.66
196.28.226.123
196.28.226.124
196.28.226.125
196.46.199.19
196.46.199.99
196.46.200.107
196.46.200.161
196.46.200.197
196.189.124.218
196.189.124.229
196.189.126.10
196.189.126.185
196.190.41.137
196.190.118.132
196.191.212.238
196.203.231.220
196.207.241.168
197.87.10.83
197.90.195.68
197.136.172.98
197.211.47.66
197.231.129.154
197.231.133.50
197.250.7.67
197.255.143.72
198.91.188.226
200.106.49.149
200.138.196.194
200.149.4.102
200.149.51.186
200.151.9.74
200.151.70.158
200.159.14.187
200.165.148.166
200.195.67.82
200.202.250.46
200.222.90.178
201.63.138.162
201.86.114.43
201.88.97.102
201.172.170.49
201.173.16.21
201.183.225.156
201.218.181.19
201.234.106.218
202.4.196.178
202.53.94.242
202.108.14.225
202.200.14.2
203.34.57.78
203.81.213.46
203.116.95.48
203.123.219.137
203.124.36.67
203.124.42.85
203.128.181.121
203.189.124.10
203.189.124.62
203.189.124.74
203.193.137.250
203.198.173.145
203.252.10.3
203.252.10.4
206.51.129.5
206.125.146.242
207.44.76.103
207.102.66.226
207.188.157.230
207.219.221.53
207.219.221.101
207.219.222.15
207.219.222.44
208.85.39.104
208.105.193.45
208.105.196.214
210.0.90.81
210.12.68.242
210.13.99.66
210.22.130.22
210.84.5.183
210.86.163.194
210.104.221.252
210.105.89.100
210.204.110.224
211.20.26.201
211.21.102.172
211.35.237.38
211.44.80.68
211.48.60.35
211.52.131.183
211.53.58.10
211.57.78.222
211.57.111.99
211.72.89.67
211.97.63.16
211.104.166.110
211.109.75.69
211.109.93.130
211.117.144.194
211.142.44.154
211.172.79.206
211.178.165.251
211.185.14.75
211.193.37.116
211.196.31.2
211.199.5.231
211.221.130.246
211.223.41.90
211.238.237.254
211.239.181.182
211.243.43.58
211.245.222.217
211.247.127.250
211.248.31.142
211.252.168.97
211.253.10.61
212.73.75.82
212.120.163.110
213.3.16.128
213.13.243.101
213.55.79.195
213.55.85.202
213.57.214.111
213.59.164.32
213.59.165.109
213.96.11.230
213.124.221.2
213.154.80.50
213.230.64.246
213.230.65.53
213.230.127.217
216.70.104.41
216.70.114.230
216.104.122.159
216.106.67.50
216.126.65.148
216.137.3.254
216.145.108.234
216.181.210.18
217.22.37.184
217.150.37.249
217.198.129.54
217.209.44.9
218.4.156.254
218.4.205.242
218.4.214.115
218.14.157.24
218.15.222.74
218.22.187.66
218.22.253.37
218.23.95.9
218.23.156.227
218.28.77.206
218.55.177.39
218.58.73.238
218.59.235.170
218.68.0.210
218.70.9.114
218.80.98.75
218.98.160.117
218.146.45.68
218.147.6.84
218.147.237.108
218.149.164.118
218.149.170.149
218.149.228.137
218.149.228.149
218.149.228.174
218.150.170.10
218.212.153.73
219.91.172.21
219.139.41.6
219.140.176.170
219.145.168.9
219.159.57.4
219.248.65.30
220.75.172.163
220.77.182.169
220.77.245.227
220.80.192.168
220.80.223.144
220.90.239.158
220.93.167.144
220.95.14.102
220.120.224.227
220.121.66.215
220.122.115.9
220.172.60.154
220.180.166.214
220.180.171.157
220.182.11.126
220.185.225.50
220.189.235.126
220.189.252.218
220.246.42.79
220.246.66.209
220.248.205.14
221.2.40.10
221.6.68.50
221.10.221.104
221.120.57.125
221.130.87.125
221.146.186.122
221.146.201.37
221.161.16.240
221.162.190.243
221.163.227.238
221.178.176.85
221.195.208.171
221.199.172.66
221.209.48.203
221.210.134.9
221.215.87.163
222.64.21.130
222.67.133.193
222.68.155.105
222.75.248.46
222.85.107.135
222.87.49.250
222.92.61.242
222.103.235.223
222.108.177.110
222.114.80.158
222.114.200.160
222.116.47.157
222.117.0.253
222.117.176.58
222.119.124.66
222.122.103.21
222.128.28.51
222.128.44.171
222.132.167.110
222.134.32.74
222.173.82.198
222.180.2.2
222.180.2.62
222.184.86.186
222.186.68.153
222.236.155.146
222.239.231.61
222.240.215.10
222.242.204.22Hope it helps everybody. One thing you will notice is that this subnet is the most aggressive one with 38 unique IP addresses so far. It's all the same ISP in Hong Kong: 121.202.0.0/16
0 -
I hope I'm not jinxing myself but I believe one of the IP in the list above is the botnet's master used for detecting if a host is still online (so that the botnet can attack it or not) because after having blacklisted those IP addresses more than 1 hour ago, the attacks fully stopped, whereas over the last 2-3 days, it was relentless every couple minutes.
0 -
it seems like it has stopped completely for 2 hours.
interestingly, we have 2 different servers and it started at the same time on both of them.
it stopped at the same time on both of themthese started exactly 1 week ago on our server.
it seems like it stopped exactly 1 week later.
i couldn't understand, i couldn't figure out the logic* I blocked the following countries from the Filter Incoming Emails by Country section this morning.
* i hardened the cphulk values.
* i manually blocked more incoming attack ips today.
Afghanistan (AF)
Argentina (AR)
Brazil (BR)
Chile (CL)
China (CN)
Gibraltar (GI)
Mexico (MX)
Peru (PE)
Taiwan (TW)at least half of the attack ips coming to us were like china.
it had already dropped a lot after i blocked it, it seems like it has stopped completely for 2 hours.
of course it's not exactly clear, maybe it will start again in the coming hours.Maximum Hourly Email by Domain Relayed
Maximum percentage of failed or deferred messages a domain may send per hourI lowered the options to the lowest possible levels.
so that in case of a possible mail leak, there would not be many mails sent from our server.
I changed the passwords of some mail addresses.
I hope they don't come again.
0 -
Yes, same thing here, it stopped around 9:00 AM (now it's 11:00 AM). I'm thinking it's one of the last IP address that I've blocked that was the botnet master, but I'm not sure exactly which one.
0 -
It's interesting that it stopped at the same time for both of us.
So this was a type of attack on a global scale and it seems to have stopped at some points.0 -
I'm seeing an uptick on one server. Most of it is dictionary attacks for one domain (that hasn't been housed on the server in ages thankfully). 51909 IPs, with 4320 uniques. If I look at all attempts on that server, it's 117494 IPs, with 5561 uniques. That's since yesterday at 4:00 AM EST.
And I don't really feel like permbanning 5561 uniques in CSF, if for no other reason than the fact that I've already got a ton in there and if you don't permban them then blocking them is useless. Plus I'm sure that some on the list are legitimate customers with misconfigured devices, and I would end up having them reaching out to me and complaining.
But, depending upon how long it lasts, I might end up going the route of blocking them. If possible I'd likely add an Include /etc/csf/csf.pita in /etc/csf/csf.deny and just put all those IPs in /etc/csf/csf.pita. That way I can keep them separate.
0 -
All it took for us is to ban the 1215 IP addresses shown in my message above and it completely (and I mean COMPLETELY) stopped. There hasn't been a single Exim attack in over 2 days, not a single one... and yes, you have to permanently ban them. They're all scoring 100% confidence on AbuseIPDB so there's absolutely nothing good that ever came out of those IP addresses in the past and until those servers get unplugged or burn out, all those machines will ever do is send spam and try to penetrate your server over and over and over again, that's all they do 24/7/365.
Those are all IP addresses that CloudFlare would never even consider letting in. Copy/paste the 1215 IP addresses in CSF, save the config so that it restarts and you'll have a very nice day.
1 -
I'm glad the two of you found a good solution. I did have the email team review this and they confirmed the same thing - the only true fix would be to ban the IPs with how many connections they were making and how often they were trying to connect.
0 -
hello
cpanel / whm is really weak in preventing this dictionary attack issue.it's kind of like the mail version of a ddos attack.
Ratelimit incoming connections with only failed recipients [?]
Ratelimit incoming SMTP connections that have only sent to failed recipients five separate connection times in the last hour.this setting is useless in my opinion.
the sent mail address is usually not found and it returns with the error No such person at this address.
cpanel does not see this as failed recipient, it processes it as **rejected**.since it processes it as **rejected**
Ratelimit incoming SMTP connections that have only sent to failed recipients five separate connection times in the last hour.
this setting cannot be activated.cPRex , Benjamin D. , mtindor
they definitely need to find a solution to this issue.
Regards
0 -
permbanning them all in CSF definitely does put the halt to things. But, with so many IPs it's likely that one or more of those are going to be legitimate customers with bad email configurations who will ultimately get permanently blocked (not just SMTP but completely blocked by the server). I'm not desperate enough to do that yet.
0 -
With those IP addresses scoring 100% confidence in AbuseIPDB and the fact that those IP addresses are not ISP provided (they're datacentre servers just like yours) then it's clear that those IP addresses will never be used by legitimate users.
0 -
Hi Ben,
I did not use your list specifically, mainly because mine is larger and different than yours. So just using your list would not be effective for me.
I am curious -- how in the world did you run 1200+ IPs through AbuseIPDB to verify that every one of them was an abuser?
Disregard. I see where you can buy a plan at AbuseIPDB.Com.
Mike
0 -
Uhm, I ran WAY more than 1200 IP address through AbuseIPDB. Every day, I run 300-400 IP addresses and I've been doing this for a couple years now. You can use their free API to automate this and that's mainly what I'm doing. I also manually look into logs and verify that the automation does a good job at reporting IP addresses and that there is no false positive.
This 1200 IP addresses list is purely for the issue at hand (discussed above, in this thread). My CSF list currently contains thousands of subnets totalling more than 100 million IP addresses around the world. 1200 IP addresses is nothing, it's like 3-4 days worth of blacklists.
BTW, guys, watch out, the Exim DoS spammers are back this week. Here's the newer set of IP addresses (this does not include last week's list which you can grab a couple messages above this one)
1.24.210.27
1.26.70.70
1.27.171.154
1.28.192.118
1.28.192.150
1.183.1.82
1.213.164.27
1.224.58.243
1.235.192.130
1.235.192.131
1.237.137.30
1.241.64.92
1.242.165.148
1.252.204.203
2.55.69.224
2.55.80.209
2.55.88.129
2.192.20.137
2.192.20.166
2.194.38.121
5.11.238.200
5.31.13.120
5.58.201.106
5.77.209.140
5.77.211.193
5.77.212.116
5.77.213.116
5.141.80.193
5.142.220.155
5.164.185.13
5.166.68.184
5.189.118.24
5.228.34.254
8.28.154.169
12.200.230.61
14.18.252.107
14.23.77.27
14.37.79.247
14.37.125.43
14.39.41.171
14.53.126.112
14.97.7.138
14.99.61.248
23.94.85.164
23.237.83.130
24.120.10.18
31.173.20.146
31.173.21.16
32.216.176.90
36.33.27.114
36.50.167.81
36.137.38.119
37.18.38.193
37.83.37.203
37.200.77.33
37.204.100.181
38.49.182.103
38.148.95.217
38.187.146.68
39.69.243.130
39.152.114.206
39.152.176.57
39.164.94.190
39.164.142.14
39.172.61.145
39.174.209.153
39.174.252.131
39.185.228.242
41.190.39.142
41.216.169.13
41.220.129.178
41.231.85.75
42.81.140.83
43.143.231.208
43.252.8.34
45.65.68.104
45.71.58.159
45.115.173.11
45.181.196.97
45.182.119.202
45.197.14.83
46.45.218.48
46.52.204.227
46.59.90.121
46.72.252.233
46.73.186.178
46.146.227.191
47.149.190.181
47.149.231.251
47.190.147.29
47.205.48.62
47.206.63.169
49.65.1.179
49.207.177.75
49.245.10.228
49.245.37.17
49.245.44.165
49.245.99.168
50.29.135.230
50.99.36.130
50.123.92.130
50.217.255.171
50.224.22.135
50.249.167.45
51.6.250.109
51.75.142.157
54.36.238.213
58.16.49.250
58.17.154.82
58.18.88.146
58.18.89.146
58.51.122.230
58.63.214.213
58.100.162.73
58.220.87.46
58.224.55.22
58.225.239.115
58.228.105.192
58.229.51.206
58.230.236.82
58.240.2.38
58.240.26.106
58.247.43.46
58.247.113.202
58.252.222.82
59.0.60.158
59.12.201.7
59.13.237.163
59.14.179.108
59.22.68.213
59.46.185.130
59.84.11.180
59.102.188.188
59.183.72.25
60.2.203.254
60.11.20.130
60.15.194.158
60.29.100.218
60.31.181.52
60.31.249.131
60.38.208.229
60.45.45.162
60.45.47.208
60.45.178.184
60.166.31.198
60.172.53.82
60.173.218.7
60.174.228.220
60.213.27.250
60.214.127.246
60.216.77.3
61.3.18.38
61.6.225.90
61.72.59.106
61.85.12.3
61.108.83.138
61.112.206.223
61.113.242.216
61.133.10.204
61.142.210.138
61.145.163.164
61.146.121.14
61.158.171.3
61.184.26.197
61.184.119.61
61.184.176.231
61.191.163.102
61.194.43.140
61.246.34.173
62.16.40.223
62.16.103.46
62.192.226.83
64.58.205.132
65.76.8.245
65.76.20.197
65.76.167.238
66.90.89.66
67.159.139.135
67.213.230.122
69.45.225.98
73.95.112.29
73.101.128.156
76.72.14.152
77.37.179.158
77.87.103.131
77.106.78.215
77.211.31.222
77.235.25.35
78.25.127.202
79.160.128.46
80.29.176.41
80.59.245.133
80.233.77.125
81.4.194.174
81.60.194.189
81.95.140.170
82.71.49.171
82.127.242.250
82.193.122.91
82.208.71.101
83.48.39.18
84.241.18.23
85.12.240.14
85.62.67.73
85.69.178.104
85.152.57.60
87.117.32.22
87.201.85.163
87.240.58.132
87.248.243.64
88.43.231.186
88.84.209.146
88.87.84.104
88.204.52.137
89.33.44.158
89.35.199.239
89.175.253.49
90.160.139.163
91.107.55.254
91.122.31.214
91.227.31.58
91.235.247.80
91.242.235.95
92.29.20.52
92.47.46.174
92.101.131.83
92.118.235.228
92.126.223.175
92.255.190.69
92.255.198.142
94.131.211.168
94.177.31.68
94.181.187.192
94.202.154.245
94.204.192.242
94.204.225.240
94.205.82.33
94.207.226.113
95.47.63.37
95.66.153.194
95.79.20.9
95.79.108.51
95.84.158.215
95.105.113.109
95.165.72.156
95.173.2.140
95.174.104.112
95.221.238.206
96.249.234.242
98.124.127.56
100.37.1.10
101.13.4.119
101.13.5.37
101.71.39.19
102.69.163.84
102.90.34.90
102.215.188.37
103.29.185.162
103.47.74.210
103.53.18.44
103.58.67.218
103.62.233.146
103.79.175.122
103.80.68.66
103.103.35.130
103.107.36.18
103.109.44.163
103.115.254.158
103.129.201.81
103.133.120.234
103.134.113.59
103.146.233.202
103.147.248.44
103.170.225.80
103.172.48.197
103.174.34.49
103.177.40.85
103.186.221.174
103.187.79.19
103.190.91.116
103.194.243.187
103.207.170.28
103.237.100.136
104.155.27.128
104.193.103.213
104.241.233.26
104.241.235.5
105.235.242.10
106.51.92.248
106.213.83.137
106.227.87.29
106.246.89.69
106.246.227.218
106.248.238.187
107.150.100.139
107.175.76.146
108.18.106.15
109.69.31.50
109.70.203.114
109.90.150.51
109.124.195.218
109.185.229.127
110.14.213.205
110.34.70.28
110.49.145.233
111.75.243.5
111.93.177.228
111.124.47.11
111.175.39.76
111.220.132.207
114.30.180.58
114.220.209.59
114.247.207.98
115.20.134.78
115.20.159.141
115.42.173.64
115.94.121.82
115.94.121.85
116.7.248.50
116.10.127.167
116.48.148.41
116.48.149.226
116.66.190.67
116.72.181.164
116.86.99.64
116.104.50.190
116.113.254.26
116.116.108.165
116.116.156.198
116.148.186.186
116.197.237.177
116.212.19.9
116.240.97.42
118.3.227.160
118.26.153.84
118.26.153.102
118.39.230.40
118.70.118.157
118.122.38.74
118.122.196.230
118.122.220.235
118.131.175.67
118.183.180.108
118.212.37.145
118.218.10.21
118.220.149.129
120.57.33.221
120.192.29.74
120.224.242.78
121.44.217.237
121.65.54.204
121.135.188.125
121.150.88.37
121.159.41.81
121.162.30.3
121.168.210.98
121.170.218.142
121.175.8.140
121.178.185.141
121.189.198.60
121.190.129.68
121.202.138.181
121.202.197.86
121.202.198.201
121.202.199.147
121.202.200.120
121.202.204.100
121.202.204.251
121.202.205.11
121.202.205.222
121.202.206.37
121.202.206.202
122.11.169.7
122.136.195.32
122.143.115.18
122.160.50.155
122.160.69.233
122.166.70.100
122.166.71.106
122.166.167.139
122.166.251.96
122.166.253.226
122.168.120.185
122.169.205.232
122.171.20.211
122.176.46.239
122.176.159.140
122.179.131.55
122.185.53.187
122.187.226.240
122.187.227.82
122.187.228.233
122.187.229.99
122.187.230.34
122.187.233.177
122.187.234.3
122.187.234.102
122.187.246.214
122.224.179.58
122.225.55.98
122.228.225.22
124.65.160.234
124.101.254.188
124.114.149.106
124.114.180.50
124.129.157.189
124.197.68.116
124.225.185.154
125.69.195.7
125.99.242.32
125.163.57.10
125.215.199.37
130.44.241.183
130.185.96.113
131.106.85.205
131.161.184.58
131.221.133.6
132.247.87.75
133.232.88.63
136.169.144.176
138.118.213.68
139.60.82.26
139.213.240.6
139.227.248.225
141.94.18.69
144.48.49.68
144.48.233.190
146.4.81.206
146.120.208.148
147.235.97.158
148.102.76.10
149.0.16.4
149.54.15.126
149.54.15.162
150.129.62.15
151.69.157.215
151.237.115.206
153.141.50.178
153.141.147.181
153.141.147.220
153.141.235.45
153.141.239.219
153.141.241.234
153.141.244.85
153.141.247.239
154.73.19.69
154.127.90.34
154.203.67.146
155.4.52.43
157.7.200.152
157.92.149.1
157.122.198.35
157.122.198.36
157.122.198.52
160.72.153.14
160.248.75.102
162.215.195.65
165.16.44.5
165.90.117.84
166.195.196.240
166.195.196.241
167.250.119.253
168.167.55.230
169.211.232.182
170.233.29.157
170.250.67.14
171.120.180.144
171.227.200.201
171.235.148.73
171.244.60.184
172.91.97.228
172.109.253.182
173.225.252.175
174.79.91.142
175.136.192.106
175.182.64.203
175.194.181.238
175.195.205.236
175.201.78.193
175.205.191.27
175.206.1.60
175.206.105.126
175.208.186.206
175.210.74.19
175.214.52.214
176.12.132.63
176.226.241.177
177.2.161.66
177.6.232.206
177.43.106.73
177.174.85.137
177.174.89.99
178.49.167.162
178.64.80.66
178.70.80.117
178.141.246.157
178.159.117.51
178.172.225.52
178.173.134.129
178.174.3.182
178.178.222.47
178.178.222.50
178.178.222.52
178.178.222.55
178.216.165.187
178.216.233.188
178.234.230.39
179.124.54.6
179.125.104.245
179.183.114.175
179.184.218.49
180.7.119.32
180.7.154.43
180.7.161.111
180.7.176.182
180.7.176.251
180.7.180.24
180.7.189.116
180.94.74.146
180.94.75.42
180.104.115.210
180.129.6.100
180.166.162.78
180.168.100.230
180.168.111.34
180.188.139.189
180.188.143.166
181.49.3.38
181.188.149.243
181.189.168.80
181.197.38.12
181.233.93.64
182.54.3.2
182.70.118.230
182.70.125.129
182.71.173.250
182.134.239.97
182.135.63.175
182.135.66.173
182.135.66.179
182.139.39.150
182.156.80.11
182.180.130.157
182.213.57.49
182.223.191.76
184.180.193.176
185.42.163.252
185.167.56.24
185.167.56.70
185.167.58.121
185.167.59.53
185.207.129.246
185.213.49.15
185.254.44.30
185.255.212.146
186.7.225.113
186.32.4.93
186.195.251.41
186.209.193.147
186.215.204.109
186.232.193.44
186.233.114.194
186.247.238.94
187.6.56.226
187.8.163.70
187.12.112.186
187.12.210.250
187.50.19.94
187.93.22.46
187.93.87.86
188.32.170.20
188.43.204.45
188.59.178.45
188.64.205.199
188.187.62.248
188.227.66.92
188.234.245.7
188.243.233.92
188.255.34.171
189.20.6.2
189.44.133.238
189.44.138.18
189.80.46.250
189.115.230.179
189.204.158.2
190.117.96.174
190.121.193.126
190.185.161.14
190.185.229.63
190.223.36.108
191.33.74.81
191.36.149.57
191.36.151.148
191.36.151.150
191.36.152.28
191.36.152.249
191.36.153.2
191.36.157.227
191.59.192.17
191.59.251.95
191.210.73.33
192.199.57.220
192.199.58.173
193.158.248.248
193.252.152.214
194.247.184.12
195.24.215.70
195.222.59.157
195.252.209.189
196.191.212.232
196.202.91.52
196.207.176.198
196.216.81.126
196.250.177.106
197.149.125.227
197.156.115.37
197.250.7.50
197.255.137.70
199.188.103.179
200.37.179.83
200.125.14.122
200.148.173.150
200.149.54.14
200.216.168.226
200.223.192.254
201.18.71.134
201.28.26.250
201.28.237.90
201.59.211.214
201.91.84.89
201.98.208.115
201.218.181.20
203.63.46.34
203.112.154.174
203.147.98.39
203.172.129.199
203.172.213.166
203.189.124.2
203.192.247.84
204.199.162.211
206.72.242.234
206.174.103.74
207.66.41.130
207.134.96.117
207.188.183.247
207.219.221.99
209.33.44.12
209.141.177.55
209.173.10.75
210.86.167.42
210.113.122.243
210.178.251.33
210.245.95.11
211.16.37.105
211.44.170.154
211.48.113.101
211.105.213.144
211.105.223.49
211.109.93.134
211.169.38.5
211.169.212.206
211.186.220.42
211.193.245.27
211.202.71.21
211.216.85.119
211.223.187.249
211.243.43.30
211.247.127.251
212.90.108.46
212.113.226.222
212.119.194.70
213.32.253.235
213.33.204.130
213.59.167.111
213.128.4.213
213.202.59.203
216.139.35.161
216.171.195.70
217.32.209.51
217.115.87.186
217.127.124.229
218.1.239.146
218.22.237.108
218.23.95.14
218.25.233.22
218.67.123.202
218.92.230.86
218.94.104.180
218.146.255.221
218.149.24.93
218.149.228.169
218.155.40.158
218.206.136.24
218.206.139.50
218.219.229.187
218.234.104.42
218.239.160.200
219.139.39.106
219.144.16.16
219.145.221.21
219.153.13.161
219.251.253.62
220.77.30.214
220.77.182.170
220.77.182.171
220.85.68.71
220.117.91.67
220.118.173.234
220.119.126.81
220.120.227.186
220.172.203.43
220.174.209.160
220.182.17.122
220.246.37.54
220.246.43.109
220.246.46.7
220.246.46.166
220.246.46.189
221.0.171.150
221.2.153.49
221.4.153.7
221.151.168.237
221.153.177.192
221.167.21.148
221.195.208.238
221.210.248.114
221.226.142.114
221.234.48.147
222.68.132.206
222.68.153.94
222.75.225.206
222.76.248.54
222.106.198.35
222.114.84.175
222.116.9.180
222.119.98.157
222.120.176.6
222.143.30.155
222.163.236.235
222.180.4.150
222.190.109.138
222.236.59.174Hope it helps.
0 -
Hi, several of my posts in this thread were automatically marked as "Pending approval" and do not currently show to the public or even to this specific thread's subscribers. One of the non showing posts is more than 1 day old and was a reply to the OP. I believe my posts are beneficial to the cPanel community. If mods think otherwise, please let me know so that I don't waste my time coming here trying to help anymore.
0 -
Benjamin D. - I approved one just now, I'm not approving the other. You know why.
I generally only check the approval queue once a day anyway unless I see some that need it.
0 -
No, I really don't know why. This is censorship and it makes cPanel look bad if I go and post it elsewhere. I wrote this comment because I know cPanel moderators and staff might read it and use my idea to improve WHM. To me, censoring that comment is not OK.
0 -
Rose Cliver, I don't see how "Maximum Hourly Email by Domain" would help with this kind of attack.
From the thousands of IP addresses performing this attack that I've monitored over the last 2 weeks, they all exactly use their 100 tries instantly (within a second or two) and then another IP takes the lead and uses their 100 tries instantly and so on, indefinitely. It's a chain of thousands (probably hundreds of thousands) of IP addresses that each try one after the other in a very, very long chain. The same IP address NEVER attacks twice in the same hour (not even in the same day) so the "Maximum Hourly Email by Domain" setting would have no effect on the attacks.
For instance, if you defined that value to 10 instead of 100, then the spammer would just swap the IP addresses pool 10x faster, but the result would be the exact same on your end, except that you will potentially end up losing good/desired emails in the process, since automation and notification systems can very well send more emails per hour than what you will define the "Maximum Hourly Email by Domain" setting to, which would obviously be worse than doing nothing at all about the attack.
0 -
I also don't see how that would help with this type of attack.
Since this seems to be happening more frequently, our team has opened HB-8197 to see if we can improve this behavior on our end through WHM tools. I don't have specific details as to what the email team has planned, but I'll be sure to post if I hear any updates.
0 -
Rex, we need something very light that we could inject into Exim's configuration that would tell it to just abruptly drop the connection when it sees more than 3 failed recipients from an IP address, without adding it to iptables or any kind of storage, just so that it's super light/quick.
I don't even see the point of adding those IP addresses to the iptables blacklist anymore as the same IP address never attacks twice in a day and although all of them score 100% on AbuseIPDB, it's unlikely that the same IP will even try the same server again in the same week or even month, given how many thousands of IP addresses that the botnet's pool contains (I have not seen the end of it yet after thousands of them permanently blacklisted over the course of 2 weeks). Adding all of them to iptables will eventually slow down our server to a crawl, because of thousands upon thousands of iptables lines to process.
0 -
Sounds good - if you have any other ideas make sure to post them here as the email team is reviewing the few threads that have come up around this issue.
0 -
Do you want me to share our specific attack's IP address blacklist daily or is that would be useless? I'm telling you right now, they have done an INCREDIBLY good job at distributing the attack into COMPLETELY scattered subnets. Blocking 0/24 subnets would not even make a dent in the attacks. The IP addresses I've monitored are on almost every single 8 bit subnets across the whole Internet range. You can see in the two blacklists that I've posted last week. They've got IP addresses in every little nook and cranny of the Internet. It's not coming just from Asia or something that can be well defined.
0 -
Nah, like you said, the actual addresses will change too much so that isn't going to be helpful long-term.
0 -
From the looks of it (and cPanel documentation on your website also states that) under Exim Configuration > Dictionary Attacks would do just that, but mine has always been set to ON and it does not drop the connection after 4 failed recipients so wouldn't repairing that feature just be the solution?
0
Please sign in to leave a comment.
Comments
38 comments