Mail server attack
Posted on November 11, 2007
Filed Under Exim mail server, Mail Server administration | Leave a Comment
Stopping an attack on Exim
Attacks on mail servers are pretty common and can lead to mail server outages and even entire server outages.
Common types of attack
There are two common forms of attack …
Dictionary attack
Email sent to non-existent addresses consisting of random strings of letters representing the usernames (such as dkfjg @ thedomain.com or abcdef @ thedomain.com). This is a very common form of spamming and often you can include email sent to random names generated by the spamming software employed to conduct such attacks.
To reduce the impact and deplete these attacks you must follow the methods detailed in Section 1 below.
Spoofing attack
This is where someone spoofs one of your client accounts’ email addresses and sends thousands of spam messages around the net, masses get rejected by recipient mail servers which employ good anti-spam solutions and the rejects get sent to the spoofed address (often a non-existent address, but sometimes an existing mail account).
To reduce the impact and deplete these attacks, you would have to at least set a low mail box quota (let’s say a max of 100mb) to prevent complete flooding. Then ensure that Exim is configured to reject any mail at SMTP time that is sent to a full mailbox, because this mail box is certain to completely fill with the high amount of bounces that this attack produces. If you have the benefit of cPanel and WHM then you can make this setting by entering the Exim Configuration Editor (Service Configuration > Exim Configuration Editor in the left hand pane of WHM) and check the box marked …
Reject email at SMTP time for users who have exceeded their quota rather than keeping it in the queue. This is probably a good idea, but it does mean people will lose mail so its not on by default.
Click the save button and Exim will be reconfigured and restarted for the change to take effect**. Now follow the instructions in Section 1 to handle the attack.
**The setting needed in Exim (if you don’t have the benefit of WHM’s Exim Configuration Editor) is as follows …
virtual_user_maildir_overquota:
driver = redirect
condition = "${perl{checkuserquota}{$domain}{$local_part}{$message_size}}"
user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
domains = lsearch;/etc/userdomains
data = :fail:Mailbox quota exceeded
allow_fail
… which should be added at the beginning of the section called DIRECTORS CONFIGURATION.
The alternative is to delete the mail account until the rejects subside, so that such mail would be sent to the default/catchall address. You can then follow the instructions in Section 1 to handle the attack.
Section 1
If you’re undergoing a mail attack – the attacks that can be deterred by setting an appropriate catchall (default) address setting
In such circumstances where substantial amounts of email are targeting non-existent addresses it is obviously preferable to set the catchall (default) address to :fail: as this causes the MTA (mail transfer agent – usually Exim) to reject the email at SMTP time – this means that the mail server will refuse to accept and process the email. Many users set the catchall/default address to :blackhole: but the MTA will handle this by accepting the message and then deleting it and this uses resources to do so, whereas using :fail: will not use such resources. Other users set the default/catchall address to another email address, either in their account or a remote address but either also uses resources.
So, if you are under such an attack it is obviously preferable to change the default/catchall addresses very quickly to preserve resources and prevent your MTA from going down.
Check if any users are using anything other than :fail: for default/catchall address
To be sure that you need to make any changes its best to see if anyone is using anything other than the desired :fail: setting. You can find this out by running this command in SSH …
grep ‘*:’ /etc/valiases/* | egrep -v ‘:fail:’
… if you see no results then all accounts are using :fail: but otherwise you will see a list of all domains which use :blackhole: or have an address set for the default/catchall setting.
Backup all valiases files
You can change all settings to :fail: that do not have it already set, but maybe it would be a good idea to backup the valiases before doing so, so that you can return the settings when the attack subdues. So copy the entire valiases folder to a backup folder for later retrieval – to do this run these two commands in SSH …
mkdir /etc/valiasesbackup
… this creates the backup folder, and …
cp -p /etc/valiases/* /etc/valiasesbackup
… this copies all files in the valiases folder to the backup folder.
Change all default/catchall addresses from :blackhole: to :fail:
Then to change all default addresses to :fail: we’ll need to run two commands, one to change any :blackhole: settings and the other to change any default addresses that forward to another email address. First run this command in SSH …
replace ‘:blackhole:’ ‘:fail:’ — /etc/valiases/*
… this will change any :blackhole: setting to the desired :fail: setting.
Change all default/catchall addresses to :fail:
Then the second command …
sed -i ’s/^\*: [^ ]*$/*: :fail: ADDRESS DOES NOT EXIST/g’ /etc/valiases/*
… this will change any setting which sends the unrouted mail to another email address to the desired :fail: setting.
Now, running this command again should reveal no results because we have just changed all settings to :fail: …
grep ‘*:’ /etc/valiases/* | egrep -v ‘:fail:’
Restore valiases files
Once the attack is over, you can then copy the backed up valiases files to their usual place, run this command from SSH …
cp -p –reply=yes /etc/valiasesbackup/* /etc/valiases
… all done. And this should only take about a minute to complete, depending on your typing or copy and paste skills.
Comments
Leave a Comment
If you would like to make a comment, please fill out the form below.
You must be logged in to post a comment.
Recently
- Buy Remembrance Poppies Online
- New York Stock Exchange trading floor flooded with 3 feet of water
- Hurricane Sandy Live Web Cams and Video Stream Coverage
- Russia News Agency Interfax Launches New Website
- Asda Smart Price and Tesco Value Bottled Water is Tap Water
- Google Search Algorithm Update to Target Piracy Sites
- Nationwide Bank Website Down
- Distributed Brute Force Attack on FTP
- Worlds Best Girlfriend
- Natural Gas News
Categories
- Announcements
- Billing and Payment Services
- Charity
- Configuring Email in cPanel
- cPanel Web Hosting
- cPanel Webdisk
- Denial of Service Attacks
- Domain Hosting
- Domain Names
- Exim mail server
- Fantastico
- Frontpage
- Hurricane Sandy
- Kernel
- Mail Server administration
- Multiple Domain Web Hosting
- News
- Operating Systems
- PHP Hosting
- PHP Nuke Web Hosting
- Recommended Websites
- Reseller Web Hosting
- Search Engine Optimisation
- Server Security
- UK Web Hosting Vouchers, Coupons, Codes and Offers
- Unbranded Web Hosting
- Updating software
- Web Hosting
- Web Hosting Coupon Code
- WHM Hosting
- worlds-best-girlfriend
Archives
- November 2012
- October 2012
- August 2012
- March 2012
- February 2012
- September 2011
- June 2011
- May 2011
- March 2011
- October 2010
- September 2010
- May 2010
- August 2008
- May 2008
- April 2008
- March 2008
- February 2008
- December 2007
- November 2007
- October 2007