OT: third party relay attack

Matthew Dillon dillon at backplane.com
Fri Jan 10 09:50:52 PST 2020 

There isn't a whole lot that can be done short of white-listing only
allowed originators and recipients.  Most anti-spam services filter out
critical non-spam emails along with the spam.

What I do for my personal domain is actually forward all my mail, spam and
all, to my gmail account and let Google's spam filters deal with it (to the
tune of hundreds of spams a day).   And for DragonFlyBSD's domain... we've
mostly not using it for email beyond the mailing list server and the
mailing list server is essentially white-listed based on the subscriptions.

-Matt

On Fri, Jan 10, 2020 at 7:36 AM Steffen Nurpmeso <steffen at sdaoden.eu> wrote:

> Pierre Abbat wrote in <3633605.BztBv1gPr2 at puma>:
>  |My mailserver is being attacked by what looks like a botnet since
> December \
>  |16
>  |at 6:07 (11:07 UTC). Many hosts all over the world are sending mail \
>  |purporting
>  |to be from many domains all over the world to a few domains in Russia. \
>  |Most of
>  |the IP addresses are blocked by uceprotect.net; a few are blocked by
> other
>  |blocklists. A few are not blocked, but are rejected with "Relay access
>  |denied". The messages come at a rate of several per second.
>  |
>  |There are 133 emails stuck in leaf's mail queue, but they do not appear \
>  |to be
>  |related to this attack.
>
> Fwiw, not being an administrator and having had no idea of that
> side of the road, i learned to let connections "sleep" for
> a while.  This is possible with Postfix, for example.  First i let
> them hang, before blacklist lookups.  It reduced those attacks
> a little bit.  E.g.,
>
>   smtpd_relay_restrictions =
>       sleep NUMBER,
>       reject_invalid_helo_hostname,
>       reject_non_fqdn_helo_hostname,
>       reject_non_fqdn_sender,
>       reject_non_fqdn_recipient,
>       sleep NUMBER
>
> You can set restrictive error counts
>
>   smtpd_soft_error_limit = 1
>   smtpd_hard_error_limit = 1
>   smtpd_per_record_deadline = yes
>   smtpd_timeout = 21s
>
> This i did after i have switched to OpenSMTPD for one day.  Like
> magic, a few hours after i did, there was one connection, it did
> nothing for a few seconds, followed by another one, and then these
> two started sending mails like grazy to Taiwenese Yahoo addresses
> i think it was.  They then entered a wave of disconnections and
> reconnections with other addresses which continued this work.  (My
> firewall throttles over time.)  Well, i got a nice information
> mail from Yahoo Taiwan i think it was saying that they blocked my
> IP temporarily because of the activity.  Blocking had no influence
> on the attack itself.  Realizing the OpenSMTPD config error
> i fixed that, but their misuse continued, and OpenSMPTD did not
> seem to have something like Postfix's _error_limit (my query on
> OpenSMTPD bugs/tracker never received an answer), so after
> continuously blacklisting the bots' IP addresses i threw away
> OpenSMTPD and reinstalled Postfix, with the error_limit reduced
> from 3 to 1.  Attack over.
>
> Having said that, it would be tremendous if servers like Postfix,
> dovecot, ssh, would offer hooks which would get invoked on
> connection establishment and break, to be able to track
> un/successful logins as well as "nonsense connections" etc. so
> that the entire [di]notify/log file parse sauce could vanish.
> Always strived me being total nonsense that log files are parsed
> to collect the info that servers had at hand.  Christos Zoulas of
> NetBSD implemented the blacklistd with patches for i think at
> least Postfix and ssh, this does implement that for logins at
> least.  FreeBSD imported that.
>
> Of course all that does not help against firewall rules aka tables
> filling with lots of addresses to be blocked.  I have some general
> rate limiting, but sometimes this bites real connectivity, for
> example if people merge their readily prepared git topic branches
> into mainline repositories, and dozen of messages from the same
> server fly in.  I have no idea on what to do against these two
> problems.
>
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20200110/29d37f80/attachment.htm>

More information about the Users mailing list