1 (edited by SteveInAkron 2016-09-15 11:38:51)

Topic: Got hit by a dictionary attack - iRedMail survived fine.

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Ubuntu 14.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes, v2.1.3 (MySQL)
====

About 2PM EST yesterday 13-Sep-2016,  the server started showing a lot of these type of messages in the log where the from= and to= were the same as below  (I've hidden the domain name). The filtering I have in place took care of most of the hits, and fail2ban did the rest.

iredmail postfix/smtpd[24204]: NOQUEUE: reject: RCPT from unknown[58.187.8.162]: 554 5.7.1 <unknown[58.187.8.162]>: ..... ; from=<abab61n@****> to=<abab61n@****> proto=ESMTP helo= .....

I ended up with a bit more than 1500 IPs banned in 24 hours. I ran the following grep on the mail log to get a list of IPs that were participating, and was surprised to get more than 15000 IPs. Someone has a very large SPAM operation.

grep -E "from=(<[a-zA-Z0-9.-]+@****>)\ +to=\1" < /var/log/mail.log | grep -o -E "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort | uniq -c > bad_ip_list.txt

None of the 300+ customers (probably closer to 500, but I don't know how many are actively being used like the postmaster or webmaster accounts etc), or 50+ other domains complained about not being able to get email. The only thing that alerted me to a problems was the following logwatch entry below that I have never seen. I actually thought I might have done something accidentally.

--------------------- Postfix Begin ------------------------

        2   *Warning: Process limit reached, clients may delay

Yes, I checked, and my process limit is still set at 100.

Note this log entry was at about the 2/3 point of the attack. I'm not sure what tomorrows log will show, but I'll post if it's interesting.

Now I have a list of IPs that were part of the attack, any ideas what to do with them? I'm thinking of feeding them to iptables for a week or so, but I doubt it would do much good.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Got hit by a dictionary attack - iRedMail survived fine.

Spammers like this usually tried from lots of different IPs to avoid been banned.

The most important point is always forcing your end users to use a strong password. Fail2ban helps a lot in this case, but as you can see, spammer has lots of IP addresses to try to crack your password, so the final step is user's strong password.

3

Re: Got hit by a dictionary attack - iRedMail survived fine.

Please kindly help: My iredadmin has lots of bother mails from chiness everyday, So i want to block it, so what should to do?