SPAM Mailers attack a ISPConfig Server

Discussion in 'Installation/Configuration' started by vaio1, Apr 20, 2012.

  1. vaio1

    vaio1 ISPConfig Developer ISPConfig Developer

    Hi Guys,

    I have set the mail server as written in the Perfect Setup (multiserver configuration). I have set the fail2ban in this way:

    /etc/fail2ban/filter.d/dovecot-pop3imap.conf
    Code:
    [Definition]
    failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Discon$
    ignoreregex =
    
    /etc/fail2ban/filter.d/postfix.conf
    Code:
    # Fail2Ban configuration file
    #
    # Author: Cyril Jaquier
    #
    # $Revision: 728 $
    #
    
    [Definition]
    
    # Option:  failregex
    # Notes.:  regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values:  TEXT
    #
    
    failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
                reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
                reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex =
    
    
    /etc/fail2ban/filter.d/sasl.conf
    Code:
    # Fail2Ban configuration file
    #
    # Author: Yaroslav Halchenko
    #
    # $Revision: 728 $
    #
    
    [Definition]
    
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values: TEXT
    #
    
    #failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
    
    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex =
    
    I have received thousand of DEFERRED emails from various IP addresses with different email addresss.

    I would like to share the SMTP only for the registered user as mentioned in your Perfect Setup Server but I don't understand why it doesn't work as well.

    thanks
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You mix up several things here. Fail2ban is a software to block brute force password attacks e.g. on smtp accounts, deferred emails are no brute password attacks.

    Thats what your setup is doing at the moment, only users that are logged in with smtp can send emails trough your server.

    So you are seeking in the wrong direction at the moment. To find out what is really happening you have to explain where you see the deferred emails, are they listed in the mailqueue (please post a excerpt of "postqueue -p") or do you get these emails in a mailbox.
     
  3. vaio1

    vaio1 ISPConfig Developer ISPConfig Developer

    Hi Till,

    both. I can see some email in the deferred folders in the mail server and other emails in the outlook inbox folder.

    The emails have a domain like [number].com.

    Screenshot
    [​IMG]
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    If you see these deferred emails just incoming into your server, then someone misuses a email address thats has its mailbox on your server as sender address for spam emails. So its not your server that sends the emails, your server just receives the undelivered messages. In such a case there is not much that you can do against it when the emails are not sent trough your server, it will most likely stop after a day or two.

    You can verify that by inspecting the headers of the undelivered messages, they should contain the delivery path. If the original server that sent the emails not your server, then it is the scenario that I explained above.
     

Share This Page