Re: [SLE] MADAY - smtp attack on my server - How to Stop? [Progress!]

From: "Sandy Drobic"

Uh, what's with the huge list of cc recipients?!?

That was for the benefit of my staff to explain to them that these problems don't fix themselves... ;-)

Okay...

Though you should be aware that the placement of the check_recipient_access at the first place in the order of the restrictions needs a bit of discipline. Don't EVER use a restriction above "reject_unauth_destination" that returns "OK" or "PERMIT" for any kind of value that a sender can control like the sender address. In this case it is safe, because you only use it to reject a recipient.

If your restrictions start to become complicated you should use those restrictions only behind reject_unauth_destination. It might save you one day when you configure a restriction carelessly that returns "OK", accepting the mail. If you do that above "reject_unauth_destination" you have an open relay...

Good info ... Done

...

...

...

What is going on? What is the best way to stop it without killing all my mail sending/recieving ability. Right now I have blocked port 25 on the router and this stops the attack. Earlier I also blocked port 25 with shorewall. That works also. Stopping postfix also works. But each of those takes my mail system down. Obviously this is not good.

It is probably the long awaited spam run of the Sober.Z virus.

In any way, it is some kind of joe-job where a spammer has used this address as the sender address. The real mailservers connecting to you were all sending you bounces because they were too stupid to verify the recipient address, accepted the spam mail and later are bouncing the stuff back to you after they found out that the recipient address was invalid. It's backscatter... :-((

So far there is no log entry indicating that the smtpd_hard_error_limit has taken effect. Such a log entry would look like that:

Jan 5 17:24:21 spamkill postfix/smtpd[21946]: too many errors after RCPT from unknown[63.208.149.18] Jan 5 17:24:28 spamkill postfix/smtpd[21946]: too many errors after RCPT from unknown[202.155.36.187] Jan 5 17:24:39 spamkill postfix/smtpd[21946]: too many errors after RCPT from unknown[222.136.67.240]

Especially the last sober virus ran a dictionary attack that would only stop after $smtpd_hard_error_limit.

[root@bonza david]# postconf -n smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandrake Linux) smtpd_hard_error_limit = 3 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_recipient_access hash:/etc/postfix/recipient_check unknown_local_recipient_reject_code = 550 Dunno?, it is set......... and I did a postfix reload?

...

I guess the smtp_skip_5xx_greeting = 554 is just as good as the 550.

I don't understand that one..

Your right, it is a (yes/no) parameter, but here is what I meant... After setting unknown_local_recipient_reject_code = 550, but before setting the check_recipient_access hash:/etc/postfix/recipient_check, the unknown_local_recipient_reject_code was rejecting with 550. After setting check_recipient_access hash:/etc/postfix/recipient_check, the reject code was shown as 554. (see below). Additional reading (after you pointed me in the right direction) revealed that smtp_skip_5xx_greeting meant (go away and don't try again). So what I meant was I guess the reject code of 554 has the same effect as 550 (both meaning go away and don't try again)

...

Jan 5 16:23:41 bonza postfix/smtpd[15305]: connect from ms.kovovyroba-hoffmann.cz[217.112.175.4] Jan 5 16:23:42 bonza postfix/smtpd[15305]: NOQUEUE: reject: RCPT from ms.kovovyroba-hoffmann.cz[217.112.175.4]: 554 : Recipient address rejected: Access denied; from=<> to= proto=ESMTP helo= Jan 5 16:23:42 bonza postfix/smtpd[15305]: disconnect from ms.kovovyroba-hoffmann.cz[217.112.175.4]

Thanks again! -- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com --