Possible SMTPAUTH Attack Solution

Post Reply
wantsomegetsome
Junior Member
Posts: 7
Joined: 25 Jun 2015, 17:28

Possible SMTPAUTH Attack Solution

Post by wantsomegetsome »

Long ago my dial up ISP told me to insure I check POP before trying to send mail. Most e-mail applications do this in that order.

How about monitoring successful POP3/IMAP logins and immediately adding the IP to say /etc/csf/csf.smtpauthallow say for X hours/days/configurable.

Then only advertising SMTPAUTH to IP addresses that are listed in /etc/csf/csf.smtpauthallow

I understand that if someone tries to send e-mail on their first login that it might fail due to the time period it would take to add it to /etc/csf/csf.smtpauthallow. After that first login though I would leave the IP in /etc/csf/csf.smtpauthallow for a month or two. One SMTP login failure per month per account is a small price to pay to stop these 1000's of SMTPAUTH attempts every day.

I'm getting about 5,000 per day. It's only a problem on some days between 12-3 am when a load of them all happen at once and csf can't keep up with the blocks overloading the server. I have to kill them, stop csf, and wait a while.

I have clients all over the world so I can't block SMTPAUTH for very many countries. I tried blocking a few countries and that caused problems for some of my clients. I wish I could just not advertise SMTPAUTH to nobody except to the people who have already logged into POP3 or IMAP.
wantsomegetsome
Junior Member
Posts: 7
Joined: 25 Jun 2015, 17:28

Re: Possible SMTPAUTH Attack Solution

Post by wantsomegetsome »

Ok. I'm thinking I could...

1) Enable SMTPAUTH_RESTRICT in csf

2) Make exim config changes as outlined in /etc/csf/readme.txt

3) Symlink /etc/csf/csf.smtpauth to /etc/relayhosts

I'm going to wait a day before I try this to see if anyone has any warnings/suggestions before I give it a try.
wantsomegetsome
Junior Member
Posts: 7
Joined: 25 Jun 2015, 17:28

Re: Possible SMTPAUTH Attack Solution

Post by wantsomegetsome »

Got excited and tried it out early.

It partially worked.

Stopped the smtpauth attack & e-mails and I was still able to send e-mail.

Problem is csf & lfd must be restarted every time /etc/relayhosts changes in order to put them in /etc/exim.smtpauth

So if someone authenticates using POP/IMAP and tries to send e-mail, they will not be able to until I restart csf & lfd.

It takes about 5 minutes to restart (I got a lot of blocks).

I'm going to set csf & lfd to restart every 30 minutes and see how many complaints I get on a 2,000 hosted domain server.
wantsomegetsome
Junior Member
Posts: 7
Joined: 25 Jun 2015, 17:28

Re: Possible SMTPAUTH Attack Solution

Post by wantsomegetsome »

I ended up enabling FASTSTART in csf.conf

I lowered DENY_IP_LIMIT to 2000.

csf restarts in about 8 seconds.

So, I set up a cron job to restart lfd & csf every 10 minutes.

My firewall is down for about 8 seconds every 10 minutes while it is restarting which increases risk.



I edited /usr/sbin/antirelayd to set the IP's to expire after 24 hours.

This opens up an IP to relaying for 24 hours which increases risk if someone else should get that IP during that time period.



Over 16 hours I have received 1 complaint on a 2000 domain server about SMTP and that user closed the ticket before I could answer it.

I don't know if I'll leave it this way. At least there is something to do when SMTP AUTH Attacks gets so bad the server doesn't work.
Post Reply