Under attack, incoming emails "no such user here"

User404

• February 09, 2025 13:53

What tools do I have to protect my WHM server from an email attack? I'm receiving 100 messages (per IP) to several domains on my server, to addresses which does not exist.

I've got exim_mainlog full of lines which says "No such user..." or "No such person". There over 1000 IP's which are doing this all day, all night. Current exim_mainlog has over 130k lines with those errors.

It is really doing harm to my server and to my users.

I've tried several different exim config changes to limit incoming emails, but it doesn't matter what I do, there's always those 100 messages per IP.

smtp_accept_max: changing this does nothing
smtp_accept_max_per_host: changing this does nothing

These are set and active, and verified to be active:

- Dictionary attack protection
- Ratelimit suspicious SMTP servers
- Ratelimit incoming connections with only failed recipients

• 

  cPRex Jurassic Moderator

  • February 10, 2025 16:16

  Hey there!  This seems to be happening more frequently, so our team has opened HB-8197 to see if we can improve this behavior on our end through WHM tools.  I don't have specific details as to what the email team has planned, but I'll be sure to post if I hear any updates.

  0
• 

  lautrivtas

  • February 17, 2025 15:01

  Same here. Any fix available ?

   

   

  0
• 

  cPRex Jurassic Moderator

  • February 17, 2025 15:58

  I don't have anything else I can offer on my end just yet as our team is still looking into a tool to handle this new attack.

  0
• 

  lautrivtas

  • February 17, 2025 16:29

  But issue is not a fresh one: 

  https://support.cpanel.net/hc/en-us/community/posts/19164255323031-CPANEL-42825-Ratelimit-incoming-mail-to-non-existent-accounts

   

  0
• 

  User404

  • February 17, 2025 16:43

  I ended up making a list of IP-addresses which were part of the attack. I made a simple script which picks up the IP's from the exim_mainlogs.

  After that, I blocked every IP on the list. I'm using available WHM tools to block SMTP servers.

  I just copy/pasted my blocklist to:

  WHM -> Exim configuration manager -> Access lists -> Blacklisted SMTP IP addresses

  That will block the botnet IP-addresses very nicely. I'm updating my blocklist a couple of times per day and copy/paste the IP-list again.

  The attack is still going on, but it is not causing that much harm anymore. I know there is a risk that I'm blocking valid email servers accidently, but it's a small cost. The most of the IP-addresses doesn't even have a host name configured. Two options: having a completely unresponsive Exim server vs blocking some mail. I chose to block them all.

  0
• 

  lautrivtas

  • February 20, 2025 12:39

  Will Exims CVE-2025-26794 upcoming security release ( 21.02.2025 ) fix this issue ?

  0
• 

  cPRex Jurassic Moderator

  • February 21, 2025 04:47

  I don't have any public information on what all that may fix, but I doubt it would be related to this.  The issue isn't with Exim itself, but the connections people make to the server.

  0
• 

  User404

  • March 05, 2025 08:38

  Our cPanel server is still under attack. The attack has been ongoing for over a month.

  Now I have found indications that the attack method is changing or has evolved. A new attack method was detected last night.

  The attacker sends emails to a non-existent addresses, with the messages arriving at the same timestamp, but the sender's IP address is changing. The attack no longer originates from the same IP address per 100 messages.

  Before this, the attack was coming from the same IP address, 100 messages per IP. Then, another 100 messages from different IP address, and so on.

  Now, the From address is always "postmaster@domain.tld". Earlier the From address was some random words or letters.

  The new attack makes extracting IP addresses from the exim_mainlog file significantly more challenging. I can't use the "postmaster" address as a rule to extract IP's, because attacker might change it later.

  Any tips or suggestions are welcome.

  Here's an example of the log. I removed the real domain names and IP-addresses.
  There are hundreds of lines just like these.
  
  2025-03-05 01:24:37 H=domain1.com [0.0.0.1]:43532 F=<postmaster@domain1.com> rejected RCPT <fake.name@our-customer-domain.com>: No such person at this address.
  2025-03-05 01:24:37 H=domain2.com [0.0.0.2]:45654 F=<postmaster@domain2.com> rejected RCPT <fakename@our-customer-domain.com>: No such person at this address.
  2025-03-05 01:24:37 H=domain3.com [0.0.0.3]:58856 F=<postmaster@domain3.com> rejected RCPT <fname@our-customer-domain.com>: No such person at this address.
  2025-03-05 01:24:37 H=domain4.com [0.0.0.4]:47420 F=<postmaster@domain4.com> rejected RCPT <fa.name@our-customer-domain.com>: No such person at this address.
  2025-03-05 01:24:37 H=domain5.com [0.0.0.5]:55678 F=<postmaster@domain5.com> rejected RCPT <name.fake@our-customer-domain.com>: No such person at this address.

  0
• 

  cPRex Jurassic Moderator

  • March 05, 2025 15:24

  I don't have any great recommendations for this situation.  It might be best to reach out to Cloudflare and see if this is something their tools can help protect against, as you'll need a more advanced tool than trying to block IPs or specific domains.

  0

Please sign in to leave a comment.