Hi
I have a email server being dictionary attacked by a botnet of over 1000 bots and am trying to find a permanent solution .
I tried limiting port 25 to only AU and GB it stopped the botnet but it also stopped mail from other countries so had to remove it this morning and the bots are now back.
is there a way to limit email login to only those countries without affecting mail received.
Cheers
Sean
Email server botnet attacks
-
ForumAdmin
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: Email server botnet attacks
There aren't any easy solutions to it.
On a cPanel server, you should enable LF_DISTATTACK and and LF_SMTPAUTH if you haven't already.
Also on cPanel, we've had success enabling WHM > Exim Configuration Manager > Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server. This should not affect legitimate email clients, but does appear to stymie the bots, though clients may need to enable secure SMTP connections.
On a cPanel server, you should enable LF_DISTATTACK and and LF_SMTPAUTH if you haven't already.
Also on cPanel, we've had success enabling WHM > Exim Configuration Manager > Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server. This should not affect legitimate email clients, but does appear to stymie the bots, though clients may need to enable secure SMTP connections.
Re: Email server botnet attacks
Hi
I have LF_DISTATTACK and and LF_SMTPAUTH
SSL isn't really a option my customers are mostly computer illiterate and would panic.
My problem has been that the number of IPs in the botnet exceeds what the firewall could handle so as new bot IPs were added to the block list other bots were dropped off and then
used again by the attacker I have managed the problem using cphulk together with csf
With cphulk set with really tight numbers.
Setting port 26 to only the countries of my users stopped them dead but stopped some mail and all the spam.
I already have ftp port 21 set up that way and now have no attacks at all via ftp
I have LF_DISTATTACK and and LF_SMTPAUTH
SSL isn't really a option my customers are mostly computer illiterate and would panic.
My problem has been that the number of IPs in the botnet exceeds what the firewall could handle so as new bot IPs were added to the block list other bots were dropped off and then
used again by the attacker I have managed the problem using cphulk together with csf
With cphulk set with really tight numbers.
Setting port 26 to only the countries of my users stopped them dead but stopped some mail and all the spam.
I already have ftp port 21 set up that way and now have no attacks at all via ftp