1 (edited by SteveInAkron 2016-09-15 11:38:51)

Topic: Got hit by a dictionary attack - iRedMail survived fine.

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Ubuntu 14.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes, v2.1.3 (MySQL)

About 2PM EST yesterday 13-Sep-2016,  the server started showing a lot of these type of messages in the log where the from= and to= were the same as below  (I've hidden the domain name). The filtering I have in place took care of most of the hits, and fail2ban did the rest.

iredmail postfix/smtpd[24204]: NOQUEUE: reject: RCPT from unknown[]: 554 5.7.1 <unknown[]>: ..... ; from=<abab61n@****> to=<abab61n@****> proto=ESMTP helo= .....

I ended up with a bit more than 1500 IPs banned in 24 hours. I ran the following grep on the mail log to get a list of IPs that were participating, and was surprised to get more than 15000 IPs. Someone has a very large SPAM operation.

grep -E "from=(<[a-zA-Z0-9.-]+@****>)\ +to=\1" < /var/log/mail.log | grep -o -E "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort | uniq -c > bad_ip_list.txt

None of the 300+ customers (probably closer to 500, but I don't know how many are actively being used like the postmaster or webmaster accounts etc), or 50+ other domains complained about not being able to get email. The only thing that alerted me to a problems was the following logwatch entry below that I have never seen. I actually thought I might have done something accidentally.

--------------------- Postfix Begin ------------------------

        2   *Warning: Process limit reached, clients may delay

Yes, I checked, and my process limit is still set at 100.

Note this log entry was at about the 2/3 point of the attack. I'm not sure what tomorrows log will show, but I'll post if it's interesting.

Now I have a list of IPs that were part of the attack, any ideas what to do with them? I'm thinking of feeding them to iptables for a week or so, but I doubt it would do much good.


Re: Got hit by a dictionary attack - iRedMail survived fine.

Spammers like this usually tried from lots of different IPs to avoid been banned.

The most important point is always forcing your end users to use a strong password. Fail2ban helps a lot in this case, but as you can see, spammer has lots of IP addresses to try to crack your password, so the final step is user's strong password.


Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee