OT: third party relay attack

Steffen Nurpmeso steffen at sdaoden.eu
Fri Jan 10 07:36:53 PST 2020 

Pierre Abbat wrote in <3633605.BztBv1gPr2 at puma>:
 |My mailserver is being attacked by what looks like a botnet since December \
 |16 
 |at 6:07 (11:07 UTC). Many hosts all over the world are sending mail \
 |purporting 
 |to be from many domains all over the world to a few domains in Russia. \
 |Most of 
 |the IP addresses are blocked by uceprotect.net; a few are blocked by other 
 |blocklists. A few are not blocked, but are rejected with "Relay access 
 |denied". The messages come at a rate of several per second.
 |
 |There are 133 emails stuck in leaf's mail queue, but they do not appear \
 |to be 
 |related to this attack.

Fwiw, not being an administrator and having had no idea of that
side of the road, i learned to let connections "sleep" for
a while.  This is possible with Postfix, for example.  First i let
them hang, before blacklist lookups.  It reduced those attacks
a little bit.  E.g.,

  smtpd_relay_restrictions =
      sleep NUMBER,
      reject_invalid_helo_hostname,
      reject_non_fqdn_helo_hostname,
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      sleep NUMBER

You can set restrictive error counts

  smtpd_soft_error_limit = 1
  smtpd_hard_error_limit = 1
  smtpd_per_record_deadline = yes
  smtpd_timeout = 21s

This i did after i have switched to OpenSMTPD for one day.  Like
magic, a few hours after i did, there was one connection, it did
nothing for a few seconds, followed by another one, and then these
two started sending mails like grazy to Taiwenese Yahoo addresses
i think it was.  They then entered a wave of disconnections and
reconnections with other addresses which continued this work.  (My
firewall throttles over time.)  Well, i got a nice information
mail from Yahoo Taiwan i think it was saying that they blocked my
IP temporarily because of the activity.  Blocking had no influence
on the attack itself.  Realizing the OpenSMTPD config error
i fixed that, but their misuse continued, and OpenSMPTD did not
seem to have something like Postfix's _error_limit (my query on
OpenSMTPD bugs/tracker never received an answer), so after
continuously blacklisting the bots' IP addresses i threw away
OpenSMTPD and reinstalled Postfix, with the error_limit reduced
from 3 to 1.  Attack over.

Having said that, it would be tremendous if servers like Postfix,
dovecot, ssh, would offer hooks which would get invoked on
connection establishment and break, to be able to track
un/successful logins as well as "nonsense connections" etc. so
that the entire [di]notify/log file parse sauce could vanish.
Always strived me being total nonsense that log files are parsed
to collect the info that servers had at hand.  Christos Zoulas of
NetBSD implemented the blacklistd with patches for i think at
least Postfix and ssh, this does implement that for logins at
least.  FreeBSD imported that.

Of course all that does not help against firewall rules aka tables
filling with lots of addresses to be blocked.  I have some general
rate limiting, but sometimes this bites real connectivity, for
example if people merge their readily prepared git topic branches
into mainline repositories, and dozen of messages from the same
server fly in.  I have no idea on what to do against these two
problems.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the Users mailing list