Ban flooding IPs

Questions and answers about how to do stuff
Post Reply
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Ban flooding IPs

Post by BruceLeeRoy »

Wondering if anyone has found a way to ban an IP that floods EFA with spam. Maybe there's a way to use fail2ban with blacklist entries?
I've been getting attacks at the rate of 70 messages per minute (as reported by EFA) that originate from the same IP, sometimes the IP increments through a subnet with the same spam message going to every user I've ever had on my system, many of which have not been valid accounts for over 15 years. each of these invalid users will get 6 or 7 variations of the spam which totals around 5,000 messages which I think are being sent to my domains within a few minutes. It's almost like a DoS attack. I have to block those subnets at the router to get mail working normally again when this happens. Maybe fail2ban or some other kind of rate limiting?
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Ban flooding IPs

Post by henk »

Just take a look at viewtopic.php?t=2659

Works fine. To use blacklists you need to share some details about the spam mails.

To use iptables see: https://www.digitalocean.com/community/ ... ving-rules
and : https://www.cyberciti.biz/tips/linux-ip ... ports.html

EFA allows you to add a bunch of extra scanners and blocklists.

Within postfix there are many things you can do with smtpd_recipient_restrictions.

A nice firewall with IDS ( Snort) is the first defence line. Pfsense is my faforite.
to every user I've ever had on my system, many of which have not been valid accounts for over 15 years
Is it just me or is this kinda strange? How do they know these accounts?
It's not that difficult to blow up someone's mailserver, but you still need the -valid- mailaccounts, as far as I know.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Ban flooding IPs

Post by BruceLeeRoy »

Thanks for the tip, I'll look into implementing Snort first and see how that goes. It seems that the IP ranges that are flooding are always changing, never used twice. It seems that a subnet gets compromised and the spammers use it until its blacklisted everywhere then move on to another IP. Many are legitimate hosting companies in the U.S. but also addresses in other countries. It seems every 10 minutes the attack comes from a new IP address. I also think the purpose is not to get spam to end users but to flood the network. I started looking at the messages and noticed the content has nothing to do with the subject. It's just bogus phrases intended to fill the message with a bunch of non relevant links.

They must have a database of every email address I've ever had on one of my domains, from former spam lists perhaps but there are also usernames included in the attack I've never had on this domain. Yes, it's very strange. I think they are just trying to create a ton of bounces. I have to manually go into Postfix and clear the mail queue because it will grow to over 1000 messages after an hour of these attacks.
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Ban flooding IPs

Post by henk »

Before you start with Snort, I would try some postfix restrictions first. That's a lot faster than learn how to configure Snort. If you got questions about Snort, you can PM me, as it's outside the scope of this forum.

Do you use greylisting ( as present in E.F.A)? Google on :

Code: Select all

site:forum.efa-project.org greylist
Sure there are members on this forum that have some tips on howto :!:

There is also a lot you can do with restrictions: smtpd_recipient_restrictions, smtpd_sender_restrictions,Rejecting Unknown Local Recipients, etc,etc
http://www.postfix.org/postconf.5.html# ... rbl_client

rbl lists that can be used like:

Code: Select all

smtpd_recipient_restrictions =
            reject_invalid_hostname,
            reject_unknown_recipient_domain,
            reject_unauth_pipelining,
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_unauth_destination,
            reject_rbl_client multi.uribl.com,
            reject_rbl_client dsn.rfc-ignorant.org,
            reject_rbl_client dul.dnsbl.sorbs.net,
            reject_rbl_client list.dsbl.org,
            reject_rbl_client sbl-xbl.spamhaus.org,
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client dnsbl.sorbs.net,
            permit

About the Wowrack.com spam in my mentioned post, I did send an email to the abuse adress, and quess what, they gave me a free account. No clue why. Dont need it, dont want it but still have it and all spam stopped the same day :doh:
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Ban flooding IPs

Post by BruceLeeRoy »

I disabled greylisting because I was getting a lot of complaints about delayed messages, seemed to only affect legitimate mail.


As for the restrictions, can I just add these things in "other restrictions" in Webmin SMTP Client Restrictions or is there a conf file I can add them to?
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Ban flooding IPs

Post by henk »

A simple Copy and Paste is not always the best option. :think:
I would start step by step, and make backups of the conf file you changed and keep track of your changes. ( lets call it documentation :lol: )
I never use webmin, I always use ssh. My favorite tool is the (free) MobaXterm tool https://mobaxterm.mobatek.net/

These restrictions are in /etc/postfix/main.cf
To see your config

Code: Select all

postconf -n |grep smtpd_
There you will find something like below:

Code: Select all

smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Ban flooding IPs

Post by BruceLeeRoy »

I've added all the RBL's you had listed, tested with my yahoo account and found SORBS was blocking yahoo mail, no surprise I guess, so I removed sorbs and got yahoo mail through. Incoming mail has significantly decreased, just hope there isn't more legitimate mail blocked. I guess I'll see if I get complaints.
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Ban flooding IPs

Post by BruceLeeRoy »

The Spam attacks have resumed today 100 messages per minute every 10 minutes. :cry: Blocking at firewall and reporting to abuse@ the hosting provider
benscha
Posts: 19
Joined: 23 Jan 2018 07:19

Re: Ban flooding IPs

Post by benscha »

install fail2ban and import the sender ip's to it. maybe there is a way to count


here is my Code Snippet to import ip's

Code: Select all

wget -P /tmp/iplist http://api.blocklist.de/getlast.php?time=3600&service=mail

mv /tmp/iplist/getlast.php\?time\=3600 /tmp/iplist.txt

while read ip
do
fail2ban-client set postfix-sasl banip $ip
done < /tmp/iplist.txt

while read ip
do
fail2ban-client set postfix banip $ip
done < /tmp/iplist.txt


rm -rf /tmp/iplist
rm -f /tmp/iplist.txt
you can get a list of the blocked ip's with

Code: Select all

fail2ban-client status postfix-sasl
fail2ban-client status postfix
Last edited by benscha on 24 Jun 2019 15:13, edited 2 times in total.
always happy for any hints and tipps! :clap: | EFA 3.0.2.6
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Ban flooding IPs

Post by BruceLeeRoy »

Your fail2ban suggestion looks promising but when the attacks come they seem to be brand new IP's that wont be on that list. But it gave me an idea and been playing with fail2ban, trying to write a custom filter. But, I'm horrible with python, not sure if anyone here has experience with python and fail2ban filters. Here's what I have so far:

Code: Select all

^%(__prefix_line)s[-._\w]+: hold header Received: from [-._\w]+\.[-._\w]+\.[-._\w]+\(unknown \[<HOST>\]\)\?\?by efa.mydomain.com \(Postfix\) with ESMTP id [-._\w]+\?\?for <spamtrap@mydomain.com>*$


Here is a long entry I am trying to match:

Code: Select all

Dec 12 17:18:21 efa postfix/cleanup[12244]: 525E120070: hold: header Received: from braid.amilliaccessories.com (unknown [75.127.11.2])??by efa.mydomain.com (Postfix) with ESMTP id 525E120070??for <spamtrap@mydomain.com>; Wed, 12 Dec 2018 17:18:21 -0500 (EST) from unknown[75.127.11.2]; from=<melissa.hays@amilliaccessories.com> to=<spamtrap@mydomain.com> proto=ESMTP helo=<braid.amilliaccessories.com>
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Ban flooding IPs

Post by BruceLeeRoy »

I've finally gotten a custom fail2ban filter working with regex. Sharing in case anyone else is trying to accomplish this:

Code: Select all

[INCLUDES]
before = common.conf

failregex = ^%(__prefix_line)s[-._\w]+: hold: header Received: from [-._\w]+ \(unknown \[<HOST>]\)\?\?by host.yourdomain.com \(Postfix\) with ESMTP id [-._\w]+\?\?for <(?:username1|username2|username3)@yourdomain.com>
Post Reply