Ban flooding IPs
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Ban flooding IPs
Wondering if anyone has found a way to ban an IP that floods EFA with spam. Maybe there's a way to use fail2ban with blacklist entries?
I've been getting attacks at the rate of 70 messages per minute (as reported by EFA) that originate from the same IP, sometimes the IP increments through a subnet with the same spam message going to every user I've ever had on my system, many of which have not been valid accounts for over 15 years. each of these invalid users will get 6 or 7 variations of the spam which totals around 5,000 messages which I think are being sent to my domains within a few minutes. It's almost like a DoS attack. I have to block those subnets at the router to get mail working normally again when this happens. Maybe fail2ban or some other kind of rate limiting?
I've been getting attacks at the rate of 70 messages per minute (as reported by EFA) that originate from the same IP, sometimes the IP increments through a subnet with the same spam message going to every user I've ever had on my system, many of which have not been valid accounts for over 15 years. each of these invalid users will get 6 or 7 variations of the spam which totals around 5,000 messages which I think are being sent to my domains within a few minutes. It's almost like a DoS attack. I have to block those subnets at the router to get mail working normally again when this happens. Maybe fail2ban or some other kind of rate limiting?
Re: Ban flooding IPs
Just take a look at viewtopic.php?t=2659
Works fine. To use blacklists you need to share some details about the spam mails.
To use iptables see: https://www.digitalocean.com/community/ ... ving-rules
and : https://www.cyberciti.biz/tips/linux-ip ... ports.html
EFA allows you to add a bunch of extra scanners and blocklists.
Within postfix there are many things you can do with smtpd_recipient_restrictions.
A nice firewall with IDS ( Snort) is the first defence line. Pfsense is my faforite.
It's not that difficult to blow up someone's mailserver, but you still need the -valid- mailaccounts, as far as I know.
Works fine. To use blacklists you need to share some details about the spam mails.
To use iptables see: https://www.digitalocean.com/community/ ... ving-rules
and : https://www.cyberciti.biz/tips/linux-ip ... ports.html
EFA allows you to add a bunch of extra scanners and blocklists.
Within postfix there are many things you can do with smtpd_recipient_restrictions.
A nice firewall with IDS ( Snort) is the first defence line. Pfsense is my faforite.
Is it just me or is this kinda strange? How do they know these accounts?to every user I've ever had on my system, many of which have not been valid accounts for over 15 years
It's not that difficult to blow up someone's mailserver, but you still need the -valid- mailaccounts, as far as I know.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Ban flooding IPs
Thanks for the tip, I'll look into implementing Snort first and see how that goes. It seems that the IP ranges that are flooding are always changing, never used twice. It seems that a subnet gets compromised and the spammers use it until its blacklisted everywhere then move on to another IP. Many are legitimate hosting companies in the U.S. but also addresses in other countries. It seems every 10 minutes the attack comes from a new IP address. I also think the purpose is not to get spam to end users but to flood the network. I started looking at the messages and noticed the content has nothing to do with the subject. It's just bogus phrases intended to fill the message with a bunch of non relevant links.
They must have a database of every email address I've ever had on one of my domains, from former spam lists perhaps but there are also usernames included in the attack I've never had on this domain. Yes, it's very strange. I think they are just trying to create a ton of bounces. I have to manually go into Postfix and clear the mail queue because it will grow to over 1000 messages after an hour of these attacks.
They must have a database of every email address I've ever had on one of my domains, from former spam lists perhaps but there are also usernames included in the attack I've never had on this domain. Yes, it's very strange. I think they are just trying to create a ton of bounces. I have to manually go into Postfix and clear the mail queue because it will grow to over 1000 messages after an hour of these attacks.
Re: Ban flooding IPs
Before you start with Snort, I would try some postfix restrictions first. That's a lot faster than learn how to configure Snort. If you got questions about Snort, you can PM me, as it's outside the scope of this forum.
Do you use greylisting ( as present in E.F.A)? Google on :
Sure there are members on this forum that have some tips on howto
There is also a lot you can do with restrictions: smtpd_recipient_restrictions, smtpd_sender_restrictions,Rejecting Unknown Local Recipients, etc,etc
http://www.postfix.org/postconf.5.html# ... rbl_client
rbl lists that can be used like:
About the Wowrack.com spam in my mentioned post, I did send an email to the abuse adress, and quess what, they gave me a free account. No clue why. Dont need it, dont want it but still have it and all spam stopped the same day
Do you use greylisting ( as present in E.F.A)? Google on :
Code: Select all
site:forum.efa-project.org greylist
There is also a lot you can do with restrictions: smtpd_recipient_restrictions, smtpd_sender_restrictions,Rejecting Unknown Local Recipients, etc,etc
http://www.postfix.org/postconf.5.html# ... rbl_client
rbl lists that can be used like:
Code: Select all
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client multi.uribl.com,
reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net,
permit
About the Wowrack.com spam in my mentioned post, I did send an email to the abuse adress, and quess what, they gave me a free account. No clue why. Dont need it, dont want it but still have it and all spam stopped the same day
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Ban flooding IPs
I disabled greylisting because I was getting a lot of complaints about delayed messages, seemed to only affect legitimate mail.
As for the restrictions, can I just add these things in "other restrictions" in Webmin SMTP Client Restrictions or is there a conf file I can add them to?
As for the restrictions, can I just add these things in "other restrictions" in Webmin SMTP Client Restrictions or is there a conf file I can add them to?
Re: Ban flooding IPs
A simple Copy and Paste is not always the best option.
I would start step by step, and make backups of the conf file you changed and keep track of your changes. ( lets call it documentation )
I never use webmin, I always use ssh. My favorite tool is the (free) MobaXterm tool https://mobaxterm.mobatek.net/
These restrictions are in /etc/postfix/main.cf
To see your config
There you will find something like below:
I would start step by step, and make backups of the conf file you changed and keep track of your changes. ( lets call it documentation )
I never use webmin, I always use ssh. My favorite tool is the (free) MobaXterm tool https://mobaxterm.mobatek.net/
These restrictions are in /etc/postfix/main.cf
To see your config
Code: Select all
postconf -n |grep smtpd_
Code: Select all
smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Ban flooding IPs
I've added all the RBL's you had listed, tested with my yahoo account and found SORBS was blocking yahoo mail, no surprise I guess, so I removed sorbs and got yahoo mail through. Incoming mail has significantly decreased, just hope there isn't more legitimate mail blocked. I guess I'll see if I get complaints.
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Ban flooding IPs
The Spam attacks have resumed today 100 messages per minute every 10 minutes. Blocking at firewall and reporting to abuse@ the hosting provider
Re: Ban flooding IPs
install fail2ban and import the sender ip's to it. maybe there is a way to count
here is my Code Snippet to import ip's
you can get a list of the blocked ip's with
here is my Code Snippet to import ip's
Code: Select all
wget -P /tmp/iplist http://api.blocklist.de/getlast.php?time=3600&service=mail
mv /tmp/iplist/getlast.php\?time\=3600 /tmp/iplist.txt
while read ip
do
fail2ban-client set postfix-sasl banip $ip
done < /tmp/iplist.txt
while read ip
do
fail2ban-client set postfix banip $ip
done < /tmp/iplist.txt
rm -rf /tmp/iplist
rm -f /tmp/iplist.txt
Code: Select all
fail2ban-client status postfix-sasl
fail2ban-client status postfix
Last edited by benscha on 24 Jun 2019 15:13, edited 2 times in total.
always happy for any hints and tipps! | EFA 3.0.2.6
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Ban flooding IPs
Your fail2ban suggestion looks promising but when the attacks come they seem to be brand new IP's that wont be on that list. But it gave me an idea and been playing with fail2ban, trying to write a custom filter. But, I'm horrible with python, not sure if anyone here has experience with python and fail2ban filters. Here's what I have so far:
Here is a long entry I am trying to match:
Code: Select all
^%(__prefix_line)s[-._\w]+: hold header Received: from [-._\w]+\.[-._\w]+\.[-._\w]+\(unknown \[<HOST>\]\)\?\?by efa.mydomain.com \(Postfix\) with ESMTP id [-._\w]+\?\?for <spamtrap@mydomain.com>*$
Here is a long entry I am trying to match:
Code: Select all
Dec 12 17:18:21 efa postfix/cleanup[12244]: 525E120070: hold: header Received: from braid.amilliaccessories.com (unknown [75.127.11.2])??by efa.mydomain.com (Postfix) with ESMTP id 525E120070??for <spamtrap@mydomain.com>; Wed, 12 Dec 2018 17:18:21 -0500 (EST) from unknown[75.127.11.2]; from=<melissa.hays@amilliaccessories.com> to=<spamtrap@mydomain.com> proto=ESMTP helo=<braid.amilliaccessories.com>
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Ban flooding IPs
I've finally gotten a custom fail2ban filter working with regex. Sharing in case anyone else is trying to accomplish this:
Code: Select all
[INCLUDES]
before = common.conf
failregex = ^%(__prefix_line)s[-._\w]+: hold: header Received: from [-._\w]+ \(unknown \[<HOST>]\)\?\?by host.yourdomain.com \(Postfix\) with ESMTP id [-._\w]+\?\?for <(?:username1|username2|username3)@yourdomain.com>