Topic: email hog [effectively SOLVED]

[piran]

Yesterday a Chinese IP fired continuous sequential email
attempts at my static IP for about an hour and a half.
Throughput of some 4,000 email attempts per hour was
maintained over my 'domestic' broadband connection.

SME7.5.1 easily handled this episode:-)

Normally I have this set up...
config setprop qmail ConcurrencyRemote 1
...to slow down anything involving multiplicity
and clogging up our very limited 'bandwidth'.

The log is continuous for the episode, not sure if it
stopped anyone else getting in contact. There was
one single 'Accepted connection 0/40' in the log
throughout the episode so I assume the Chinese IP
hogged the one single remote transaction configured.

Not sure of the how or why of this episode but would
like to know if I have any options other than to simply
watch it all happen and/or block each and every IP.

Is there a way of limiting the number of 'RCPT TO:'
attempts in the same 'Accepted connection 0/40'?
Alternatively is there a way of forcing separate
call setups instead of allowing such brute force
apparent free rein? Some added earlyTalker delay
for each of those 5003 attempts might prove quite
costly for my unwelcome 'correspondent'.

The original perpetrator's IP is now blocked but I
would expect them to have access to many others.
I would like to 'prepare' for the next one should
there be one of course - any suggestions?

Code: [Select]

qpsmtpd log:
a) I don't think there is any intelligence to be had from the
specific variations of the prefix variations but if you think
there is do please let me know.
b) myserver.com | aaa.bbb.ccc.ddd | home.myserver.com
are vanilla substitutes to protect the entities involved but
otherwise everything else is as logged.
c) episode stats:
started: 2012-03-01 21:58:22
ended: 2012-03-01 23:20:30
duration: 1:22:08hrs
emails: 1
variations: 5003

2012-03-01 21:58:22.336490500 7488 Accepted connection 0/40 from aaa.bbb.ccc.ddd / Unknown
2012-03-01 21:58:22.336626500 7488 Connection from Unknown [aaa.bbb.ccc.ddd]
2012-03-01 21:58:22.338925500 7488 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2012-03-01 21:58:22.345446500 7488 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2012-03-01 21:58:22.363000500 7488 220 home.myserver.com ESMTP
2012-03-01 21:58:22.714405500 7488 dispatching EHLO x6x8-20101028IO
2012-03-01 21:58:22.717015500 7488 250-myserver.com Hi Unknown [aaa.bbb.ccc.ddd]
2012-03-01 21:58:22.717033500 7488 250-PIPELINING
2012-03-01 21:58:22.717048500 7488 250-8BITMIME
2012-03-01 21:58:22.717067500 7488 250-SIZE 75000000
2012-03-01 21:58:22.717087500 7488 250 STARTTLS
2012-03-01 21:58:23.626964500 7488 dispatching RSET
2012-03-01 21:58:23.627179500 7488 250 OK
2012-03-01 21:58:23.627213500 7488 dispatching MAIL FROM:<rffda@myserver.com>
2012-03-01 21:58:23.627306500 7488 full from_parameter: FROM:<rffda@myserver.com>
2012-03-01 21:58:23.659444500 7488 getting mail from <rffda@myserver.com>
2012-03-01 21:58:23.659490500 7488 250 <rffda@myserver.com>, sender OK - how exciting to get mail from you!
2012-03-01 21:58:23.659582500 7488 dispatching RCPT TO:<001-home@163.com>
2012-03-01 21:58:23.662267500 7488 check_goodrcptto plugin (rcpt): stripping '-' extensions
2012-03-01 21:58:23.821443500 7488 check_goodrcptto plugin (rcpt): recipient 001-home@163.com denied
2012-03-01 21:58:23.823533500 7488 logging::logterse plugin (deny): ` aaa.bbb.ccc.ddd Unknown x6x8-20101028IO <rffda@myserver.com> check_goodrcptto 901 relaying denied 001-home@163.com msg denied before queued
2012-03-01 21:58:23.823647500 7488 550 relaying denied 001-home@163.com
2012-03-01 21:58:23.823746500 7488 dispatching DATA
2012-03-01 21:58:23.824102500 7488 503 RCPT first
2012-03-01 21:58:24.485332500 7488 dispatching RSET
2012-03-01 21:58:24.485438500 7488 250 OK
2012-03-01 21:58:24.485497500 7488 dispatching MAIL FROM:<rffda@myserver.com>
2012-03-01 21:58:24.485570500 7488 full from_parameter: FROM:<rffda@myserver.com>
2012-03-01 21:58:24.514384500 7488 getting mail from <rffda@myserver.com>
2012-03-01 21:58:24.514427500 7488 250 <rffda@myserver.com>, sender OK - how exciting to get mail from you!
2012-03-01 21:58:24.514510500 7488 dispatching RCPT TO:<001-home@163.com>
2012-03-01 21:58:24.515799500 7488 check_goodrcptto plugin (rcpt): stripping '-' extensions
2012-03-01 21:58:24.585135500 7488 check_goodrcptto plugin (rcpt): recipient 001-home@163.com denied
2012-03-01 21:58:24.587261500 7488 logging::logterse plugin (deny): ` aaa.bbb.ccc.ddd Unknown x6x8-20101028IO <rffda@myserver.com> check_goodrcptto 901 relaying denied 001-home@163.com msg denied before queued
2012-03-01 21:58:24.587355500 7488 550 relaying denied 001-home@163.com
2012-03-01 21:58:24.587441500 7488 dispatching DATA
2012-03-01 21:58:24.587706500 7488 503 RCPT first
2012-03-01 21:58:25.563413500 7488 dispatching RSET
2012-03-01 21:58:25.563508500 7488 250 OK
2012-03-01 21:58:25.563567500 7488 dispatching MAIL FROM:<ers@myserver.com>
2012-03-01 21:58:25.563633500 7488 full from_parameter: FROM:<ers@myserver.com>
2012-03-01 21:58:25.592097500 7488 getting mail from <ers@myserver.com>
2012-03-01 21:58:25.592139500 7488 250 <ers@myserver.com>, sender OK - how exciting to get mail from you!
2012-03-01 21:58:25.592221500 7488 dispatching RCPT TO:<001-home@163.com>
2012-03-01 21:58:25.593536500 7488 check_goodrcptto plugin (rcpt): stripping '-' extensions
2012-03-01 21:58:25.662826500 7488 check_goodrcptto plugin (rcpt): recipient 001-home@163.com denied
2012-03-01 21:58:25.664696500 7488 logging::logterse plugin (deny): ` aaa.bbb.ccc.ddd Unknown x6x8-20101028IO <ers@myserver.com> check_goodrcptto 901 relaying denied 001-home@163.com msg denied before queued
2012-03-01 21:58:25.664788500 7488 550 relaying denied 001-home@163.com
2012-03-01 21:58:25.664862500 7488 dispatching DATA
2012-03-01 21:58:25.665134500 7488 503 RCPT first
2012-03-01 21:58:26.454392500 7488 dispatching RSET
2012-03-01 21:58:26.454521500 7488 250 OK
2012-03-01 21:58:26.454580500 7488 dispatching MAIL FROM:<ers@myserver.com>
2012-03-01 21:58:26.454648500 7488 full from_parameter: FROM:<ers@myserver.com>
2012-03-01 21:58:26.483699500 7488 getting mail from <ers@myserver.com>
2012-03-01 21:58:26.483743500 7488 250 <ers@myserver.com>, sender OK - how exciting to get mail from you!
2012-03-01 21:58:26.483825500 7488 dispatching RCPT TO:<001-home@163.com>
2012-03-01 21:58:26.485149500 7488 check_goodrcptto plugin (rcpt): stripping '-' extensions
2012-03-01 21:58:26.554815500 7488 check_goodrcptto plugin (rcpt): recipient 001-home@163.com denied
2012-03-01 21:58:26.556738500 7488 logging::logterse plugin (deny): ` aaa.bbb.ccc.ddd Unknown x6x8-20101028IO <ers@myserver.com> check_goodrcptto 901 relaying denied 001-home@163.com msg denied before queued
2012-03-01 21:58:26.556822500 7488 550 relaying denied 001-home@163.com
2012-03-01 21:58:26.556896500 7488 dispatching DATA
2012-03-01 21:58:26.557160500 7488 503 RCPT first
2012-03-01 21:58:27.540909500 7488 dispatching RSET
2012-03-01 21:58:27.541005500 7488 250 OK
2012-03-01 21:58:27.541056500 7488 dispatching MAIL FROM:<vqv@myserver.com>
2012-03-01 21:58:27.541137500 7488 full from_parameter: FROM:<vqv@myserver.com>
2012-03-01 21:58:27.562681500 7488 getting mail from <vqv@myserver.com>
2012-03-01 21:58:27.562730500 7488 250 <vqv@myserver.com>, sender OK - how exciting to get mail from you!
2012-03-01 21:58:27.562807500 7488 dispatching RCPT TO:<001-home@163.com>
2012-03-01 21:58:27.564113500 7488 check_goodrcptto plugin (rcpt): stripping '-' extensions
2012-03-01 21:58:27.633584500 7488 check_goodrcptto plugin (rcpt): recipient 001-home@163.com denied
2012-03-01 21:58:27.635446500 7488 logging::logterse plugin (deny): ` aaa.bbb.ccc.ddd Unknown x6x8-20101028IO <vqv@myserver.com> check_goodrcptto 901 relaying denied 001-home@163.com msg denied before queued
2012-03-01 21:58:27.635538500 7488 550 relaying denied 001-home@163.com
2012-03-01 21:58:27.635616500 7488 dispatching DATA
2012-03-01 21:58:27.635866500 7488 503 RCPT first
2012-03-01 21:58:28.432999500 7488 dispatching RSET
2012-03-01 21:58:28.433086500 7488 250 OK
2012-03-01 21:58:28.433136500 7488 dispatching MAIL FROM:<vqv@myserver.com>
2012-03-01 21:58:28.433211500 7488 full from_parameter: FROM:<vqv@myserver.com>
2012-03-01 21:58:28.461392500 7488 getting mail from <vqv@myserver.com>
2012-03-01 21:58:28.461434500 7488 250 <vqv@myserver.com>, sender OK - how exciting to get mail from you!
2012-03-01 21:58:28.461518500 7488 dispatching RCPT TO:<001-home@163.com>
2012-03-01 21:58:28.462812500 7488 check_goodrcptto plugin (rcpt): stripping '-' extensions
2012-03-01 21:58:28.531903500 7488 check_goodrcptto plugin (rcpt): recipient 001-home@163.com denied
2012-03-01 21:58:28.533797500 7488 logging::logterse plugin (deny): ` aaa.bbb.ccc.ddd Unknown x6x8-20101028IO <vqv@myserver.com> check_goodrcptto 901 relaying denied 001-home@163.com msg denied before queued
2012-03-01 21:58:28.533888500 7488 550 relaying denied 001-home@163.com
2012-03-01 21:58:28.533962500 7488 dispatching DATA
2012-03-01 21:58:28.534224500 7488 503 RCPT first
2012-03-01 21:58:29.508396500 7488 dispatching RSET
2012-03-01 21:58:29.508492500 7488 250 OK
2012-03-01 21:58:29.508548500 7488 dispatching MAIL FROM:<gpge@myserver.com>
2012-03-01 21:58:29.508617500 7488 full from_parameter: FROM:<gpge@myserver.com>
2012-03-01 21:58:29.536997500 7488 getting mail from <gpge@myserver.com>
2012-03-01 21:58:29.537033500 7488 250 <gpge@myserver.com>, sender OK - how exciting to get mail from you!
2012-03-01 21:58:29.537116500 7488 dispatching RCPT TO:<001-home@163.com>
2012-03-01 21:58:29.538408500 7488 check_goodrcptto plugin (rcpt): stripping '-' extensions
2012-03-01 21:58:29.607610500 7488 check_goodrcptto plugin (rcpt): recipient 001-home@163.com denied
2012-03-01 21:58:29.609525500 7488 logging::logterse plugin (deny): ` aaa.bbb.ccc.ddd Unknown x6x8-20101028IO <gpge@myserver.com> check_goodrcptto 901 relaying denied 001-home@163.com msg denied before queued
2012-03-01 21:58:29.609620500 7488 550 relaying denied 001-home@163.com
2012-03-01 21:58:29.609703500 7488 dispatching DATA
2012-03-01 21:58:29.609945500 7488 503 RCPT first
2012-03-01 21:58:30.405529500 7488 dispatching RSET
2012-03-01 21:58:30.405624500 7488 250 OK
2012-03-01 21:58:30.405681500 7488 dispatching MAIL FROM:<gpge@myserver.com>
2012-03-01 21:58:30.405753500 7488 full from_parameter: FROM:<gpge@myserver.com>
2012-03-01 21:58:30.433842500 7488 getting mail from <gpge@myserver.com>
2012-03-01 21:58:30.433878500 7488 250 <gpge@myserver.com>, sender OK - how exciting to get mail from you!
2012-03-01 21:58:30.433961500 7488 dispatching RCPT TO:<001-home@163.com>
2012-03-01 21:58:30.435244500 7488 check_goodrcptto plugin (rcpt): stripping '-' extensions
2012-03-01 21:58:30.504403500 7488 check_goodrcptto plugin (rcpt): recipient 001-home@163.com denied
2012-03-01 21:58:30.506296500 7488 logging::logterse plugin (deny): ` aaa.bbb.ccc.ddd Unknown x6x8-20101028IO <gpge@myserver.com> check_goodrcptto 901 relaying denied 001-home@163.com msg denied before queued
2012-03-01 21:58:30.506389500 7488 550 relaying denied 001-home@163.com
2012-03-01 21:58:30.506471500 7488 dispatching DATA
2012-03-01 21:58:30.506726500 7488 503 RCPT first
2012-03-01 21:58:31.467836500 7488 dispatching RSET
2012-03-01 21:58:31.467960500 7488 250 OK

...snip...

2012-03-01 23:20:26.179079500 7488 dispatching MAIL FROM:<lgw@myserver.com>
2012-03-01 23:20:26.179141500 7488 full from_parameter: FROM:<lgw@myserver.com>
2012-03-01 23:20:26.209008500 7488 getting mail from <lgw@myserver.com>
2012-03-01 23:20:26.209042500 7488 250 <lgw@myserver.com>, sender OK - how exciting to get mail from you!
2012-03-01 23:20:26.209088500 7488 dispatching RCPT TO:<001-home@163.com>
2012-03-01 23:20:26.210397500 7488 check_goodrcptto plugin (rcpt): stripping '-' extensions
2012-03-01 23:20:26.280120500 7488 check_goodrcptto plugin (rcpt): recipient 001-home@163.com denied
2012-03-01 23:20:26.282020500 7488 logging::logterse plugin (deny): ` aaa.bbb.ccc.ddd Unknown x6x8-20101028IO <lgw@myserver.com> check_goodrcptto 901 relaying denied 001-home@163.com msg denied before queued
2012-03-01 23:20:26.282092500 7488 550 relaying denied 001-home@163.com
2012-03-01 23:20:26.282138500 7488 dispatching DATA
2012-03-01 23:20:26.282394500 7488 503 RCPT first
2012-03-01 23:20:27.083460500 7488 dispatching RSET
2012-03-01 23:20:27.083549500 7488 250 OK
2012-03-01 23:20:27.083614500 7488 dispatching MAIL FROM:<lgw@myserver.com>
2012-03-01 23:20:27.083680500 7488 full from_parameter: FROM:<lgw@myserver.com>
2012-03-01 23:20:27.111592500 7488 getting mail from <lgw@myserver.com>
2012-03-01 23:20:27.111626500 7488 250 <lgw@myserver.com>, sender OK - how exciting to get mail from you!
2012-03-01 23:20:27.111693500 7488 dispatching RCPT TO:<001-home@163.com>
2012-03-01 23:20:27.113000500 7488 check_goodrcptto plugin (rcpt): stripping '-' extensions
2012-03-01 23:20:27.183057500 7488 check_goodrcptto plugin (rcpt): recipient 001-home@163.com denied
2012-03-01 23:20:27.185113500 7488 logging::logterse plugin (deny): ` aaa.bbb.ccc.ddd Unknown x6x8-20101028IO <lgw@myserver.com> check_goodrcptto 901 relaying denied 001-home@163.com msg denied before queued
2012-03-01 23:20:27.185193500 7488 550 relaying denied 001-home@163.com
2012-03-01 23:20:27.185240500 7488 dispatching DATA
2012-03-01 23:20:27.185494500 7488 503 RCPT first
2012-03-01 23:20:28.145529500 7488 dispatching RSET
2012-03-01 23:20:28.145608500 7488 250 OK
2012-03-01 23:20:28.145658500 7488 dispatching MAIL FROM:<eyff@myserver.com>
2012-03-01 23:20:28.145720500 7488 full from_parameter: FROM:<eyff@myserver.com>
2012-03-01 23:20:28.174165500 7488 getting mail from <eyff@myserver.com>
2012-03-01 23:20:28.174200500 7488 250 <eyff@myserver.com>, sender OK - how exciting to get mail from you!
2012-03-01 23:20:28.174262500 7488 dispatching RCPT TO:<001-home@163.com>
2012-03-01 23:20:28.175584500 7488 check_goodrcptto plugin (rcpt): stripping '-' extensions
2012-03-01 23:20:28.245169500 7488 check_goodrcptto plugin (rcpt): recipient 001-home@163.com denied
2012-03-01 23:20:28.247094500 7488 logging::logterse plugin (deny): ` aaa.bbb.ccc.ddd Unknown x6x8-20101028IO <eyff@myserver.com> check_goodrcptto 901 relaying denied 001-home@163.com msg denied before queued
2012-03-01 23:20:28.247169500 7488 550 relaying denied 001-home@163.com
2012-03-01 23:20:28.247230500 7488 dispatching DATA
2012-03-01 23:20:28.247462500 7488 503 RCPT first
2012-03-01 23:20:29.037910500 7488 dispatching RSET
2012-03-01 23:20:29.037989500 7488 250 OK
2012-03-01 23:20:29.038039500 7488 dispatching MAIL FROM:<eyff@myserver.com>
2012-03-01 23:20:29.038105500 7488 full from_parameter: FROM:<eyff@myserver.com>
2012-03-01 23:20:29.066350500 7488 getting mail from <eyff@myserver.com>
2012-03-01 23:20:29.066384500 7488 250 <eyff@myserver.com>, sender OK - how exciting to get mail from you!
2012-03-01 23:20:29.066430500 7488 dispatching RCPT TO:<001-home@163.com>
2012-03-01 23:20:29.067727500 7488 check_goodrcptto plugin (rcpt): stripping '-' extensions
2012-03-01 23:20:29.137214500 7488 check_goodrcptto plugin (rcpt): recipient 001-home@163.com denied
2012-03-01 23:20:29.139112500 7488 logging::logterse plugin (deny): ` aaa.bbb.ccc.ddd Unknown x6x8-20101028IO <eyff@myserver.com> check_goodrcptto 901 relaying denied 001-home@163.com msg denied before queued
2012-03-01 23:20:29.139185500 7488 550 relaying denied 001-home@163.com
2012-03-01 23:20:29.139248500 7488 dispatching DATA
2012-03-01 23:20:29.139484500 7488 503 RCPT first
2012-03-01 23:20:30.349919500 11243 cleaning up after 7488


[janet]

piran

The data sent/bandwidth used would have been a few bits per transaction, so is it a problem ?
Even over the time period the email connection attempts were happening the total bandwidth used would be small.
I guess it would only be a problem if you had a very slow connection, or a very expensive rate/Mbit connection eg satellite, so what is your situation ?

[piran]

mary: As I indicated earlier SME handled the situation brilliantly.
This was not a normal situation however and I appear to have few
options as regard to regaining 'control' over my environment.
I've chosen to limit i/c transactions to 1... my Chinese visitor
occupied this to no good end for an hour and a half. I believe
in so doing nobody else could get in contact due to this selfish
nefariousness. I regard that as a loss of control and wanted to
know if anyone might suggest something to offset this loss.

The telephone line broadband connection is not all that brilliant
but is merely adequate and not considered very expensive. It's
not a satellite connection. The server has enough CPU to cope
and there are many things I can work the server through to see
worse htop figures than those I saw during the episode!

Once bitten, well more nibbled than bitten, twice shy.
This is the first time I've experienced this, next time could
be more resource-hungry and, so far, my options are few.

Timing out a transaction would mitigate against file transfers.

Hence my thought about limiting RCPT TO variations - nothing
delivered here is ever normally needing more than a single
destination account. Enforcing a single variation within a
single Accepted connection would bring in the earlytalker
option to play. Unless you know of something else...

[mmccarn]

I've been intrigued at the thought of getting fail2ban working on SME server -- which I think would allow you to create the rule you want (ban an IP after x 'rcpt to' in one message, or some such). Unnilenium may be working on a contrib for this.

Another way to keep these connections off your SME would be to have your MX record send your email to an off-site spam filter - either a service such as postini (owned by google), or by setting up a virtual 'SME' in 'the cloud'...

[piran]

Interesting - thank you.
Seems risky and, to my way of thinking, quite complex.
Fail2ban has been mooted for too long without delivery.
Part of that thread associates Centos5 with SME7.
I very much doubt I have the necessary fixer skills
and I have no test rig to hand or a spare available.

When or if Fail2ban is delivered (SME contrib rpm)
I would try it but to limit SME7 to only offering a
single RCPT TO per Accepted connection the current
state of Fail2ban seems an awful lot of unknown risk.

Fail2ban is processing 'after the event' having already
allowed it all to happen and thus to appear in the logs.

My aim is to 'simply(?)' limit SME to offering a single
RCPT TO per any single Accepted connection instead
of just offering multiple RCPT TO with the same
Accepted connection ad infinitum (presumably).
Not sure if this goes against any RFCs as well.

Simpler should be better... I don't want to 'ban', as
I would normally block them outright in iptables, I
want to make these attempt/s excessively costly
and also stop the hogging before it verges on a DOS.

[CharlieBrady]

Simpler should be better... I don't want to 'ban', as
I would normally block them outright in iptables, I
want to make these attempt/s excessively costly
and also stop the hogging before it verges on a DOS.

If you drop the connection after N "RCPT TO" then you might *increase* the cost to your server. They might just create a new connection. Handling a new connection is more costly to your server than just saying "relaying denied". If you don't want to block in iptables then you just have to talk to them. Talking to them at least cost to yourself needs to be your objective.

Preventing DoS is no easy matter. I don't think your spammer is trying DoS, and really isn't doing your server any harm - *unless* you limit connections to 1. Perhaps you should stop worrying.

[piran]

Makes a lot of sense - thanks. They don't want to talk,
they just want to see if they can work things to get my SME.
I was deferring the iptable block to see what they intended
to do next ...if anything. They've not returned in the same
way. Yes, preventing DoS is really difficult but I wanted to
at least have it discussed. I think the basic aim of this was
probably to annoy me or test the water. In 5000+ attempts
not one usable email address was derived. If one HAD been
derived they must have known I would immediately revoke it.
I wasn't 'worryin' just 'considerin'... and having done so will
now just happily treat them much as I do the other pests.
Thank you for the thoughts forum, cheers:-)