Hi All,

Someone is spamming me using names with capital fonts like: JamesCarol@domain.com. I tried blocking him using [A-Z]*[A-Z]@domain.com in my /etc/maill/access, because I don't use capital fonts in my users, but this don't work.

Please, maybe someone with more experience can explain me how to reach this objective.

Very grateful in advance,

JFrech

Would you happen to be running cPanel?

Thank you!,

I'm on Ensim 4.0.3, RHE3.

But the problem is with the characters that sendmail can read in the way I need.

How to block Any name that begins with capital font and have another capital font separating the second part of the name. ie. JamesCarol, ArnoldWilliams etc. A*W*@domain.com for example.

Which wildcards, accepted by sendmail, can I use to express the characters between the two capital fonts?

Thank you.

JFrech

Nobody can help me, please? This is really causing me the server crash constantly.

I know I can use regex and include in sendmail.mc but have not idea how. I was reading and reading in Google but didn't find anything.

I shutdown the server for about 2 hours, to see if the attacker stops his job, but he didn't. It continues bothering.

Thank you,

JFrech

Greetings:

If you take the domain portion of the email, and go to http://www.dnsstuff.com you can do an NS lookup (right hand column, first box) for the MX (mail exchange) record.

For each IP address listed (there may be more than one), block the IP address in your firewall.

If you are using IP tables, you can do the following:

iptables -I INPUT -s [ip address to block without brackets] -j DROP

If you just wanted to block SMTP traffic for the IP address you could use

iptables -I INPUT -s [ip address to block without brackets] -p tcp --dport 25 -j DROP


Thank you.

Sorry I can't be of help. I think tech support might help with this one.

I appreciate your answer.

The domain is in my server. That's why need just to block the user name.
UserName@myserver.com, it's a spoof address.

They're using different IP each time. The only repetitive event that I can use to block them are the two capital fonts in the User Name.

JFrech

Unfortunately, you can't do that in /etc/mail/access.

But you could make an SA rule to do it... which doesn't really help. Are they sending TO legit addresses?

Thank you foryour answer.

Yes, the're sending to a legit domain but with wrong user names.

I found in Google this rule that can be used in sendmail.mc, but I don't have experience in REGEX. Maybe you can understand better the rule and explained to me how to modify it for my purposes.

LOCAL_CONFIG
#
# Regular expression to reject:
# * numeric-only localparts from aol.com and msn.com
# * localparts starting with a digit from juno.com
#
Kcheckaddress regex -a@MATCH
^([0-9]+<@(aol|msn).com|[0-9][^<]*<@juno.com).?>

Very grateful,

JFrech

I understand regex, but I don't understand ... given the format, the Match would be which looks totally wrong to me ... Seems like it should be encased in < >'s.

I think is not an issue for them.

Please receive my apologizes if I didn't express well my words a few day's ago.
If I recommended you to solve a problem with Live Support was because you had a ticket open with them, and that's the way I use when I have a ticket not attended.

Today in the early morning, I did a reboot and my server didn't came up, it was a problem with FSCK. I opened a ticket that was not assisted in the time I estimate, then, I went to chat with Live Support and they solved my issue in just a few minutes.

Sincerely,

JFrech

Thank's a lot for your help Catalyst.

I'm going to try your way, and analyze the results.

Greatly appreciated!

JFrech

The sendmail didn't stops the UserName with the line you gave me.
Any other idea please?

dnl # Regular expression to reject:
dnl # * numeric-only localparts from aol.com and msn.com
dnl # * localparts starting with a digit from juno.com
dnl #
Kcheckaddress regex -a@MATCH ^([A-Z][a-z]+[A-Z][a-z +<@mydomain.com).?>

LOCAL_RULESETS
SLocal_check_mail
dnl # check address against various regex checks
R$* $: $>Parse0 $>3 $1
R$+ $: $(checkaddress $1 $)
R@MATCH $#error $: "553 Header error"

JFrech

That shouldn't've compiled --- it's missing a right brace after the second [a-z ... ;-)

Excuseme, this was a mistake I did when I copied here, but in the senmail.mc is OK.

The problem is that sendmail rejects the mail with "User unknown" before using the R@MATCH $#error $: "553 Header error"

Any idea?

Thanks a lot

JFrech

Gotta ask.... Is this a user on your system sending these e-mails? If so, I would think about getting rid of this customer as he/she could jeapordize your server for TOS violations.

If not, what I do and it seems to work, is force my legit customers to have their mail clients login to send mail as well as check mail.

If they are using a sendmail script from your server, I would hunt it down and do away with it...

Thank you Chip,

It's an external attack. Someone is sending thousands of mails to one of my customers domain. They are using names with capital fonts as a common pattern in all the addresses they are testing if exists. i.e. They send to JessiJames@mycustomer.com and CarolAllem@mycustomer.com etc. The capital fonts pattern are the only thing I can try to block, because each time they use a different IP

I want to reject them in gateway, to avoid that it continues overloading my server.

JFrech

watch your mail logs and see if the same IP is the one sending it all. If so ban it using ip tables rather than going through sendmail. If a little no name mail server is passing on spam, you may want to inform his isp, or the admin, till them just ban his mail server from connecting to you.

If you cant figure out which ip this is, copy the email headers from a few of your emails and either post them here or PM them to me. Im in NYC on vacation, so it may take me a while to respond.

Another option is to have your customer turn off his catch-all account. I'm not sure what package you have, but I run CPanel and have the ability to have mail sent to non-exsistant accounts either go to :blackhole: or :fail:

I don't have WHM create catch-all's on new accounts for that reason.... It's too easy for the customer to be overwhelmed by e-mail that the catch-all grabs and sends to him/her...

Spam is getting bad for everyone.... Turning off the catch-all isn't the fix-all... But it will cut down a lot of the e-mail to your customer...

Yes, you're right Chip. I always create the new sites without the catch-all.

My customer doesn't know the attack is occurring, it's me who are very worried, because the attack was overloading the server.

Apparently, the attack is over now, but anyway, I consider is important to know how to stop an attack like this for the future.

Maybe is not difficult to do the rule, but for someone that have expertise knowledge about regex. Unfortunately I'm not. I invite all to think about this.

I appreciate a lot to all of you that did an effort to help me. It was nice to feel supported.

Please, don't let be finished this post. If someone know how to make the rule, please share with all.

Very grateful,

JFrech

Hi faze, thank's a lot for you participation.

Unfortunately, the attack came with different IP in each message. Is no way to extract valuable information from the logs

The way I found is to create a rule for sendmail.mc that filters every user name that begin with capital font and have other in the middle. But I don't have enough knowledge with Regex to create it. i.e. JamesSmith@, JohanTimes@, etc.

Very grateful,

JFrech

Filtering capital letters may interupt very important e-mail that one of your customers is waiting on.... It's a good work around, but not a good fix...

I'm in the same boat as you when it comes to spam.... I've been looking for a way to block blacklisted countries on my server... It's not a fix-all, but it is a fix-most.... It will stop a good portion of the spam since most comes from other countries that allow it to happen and will stop a lot of the spambots that happen on my customer's forums...

So, I'm watching this thread in hopes of some good ideas myself....

Chip

You have reason in what are saying, filter capital fonts is not a fix, but is a good measure in an emergency.

I think is more easy to tell to just one customer what's happening, in case some legit mails are interrupted, than try to explain to all your customers why the server crashed.

I think Catalyst is near the solution with capital fonts.

I'm reading everything I found about regex, but this take a lot of time to reach the knowledge that others already have.

JFrech

JFrech, an important question to answer is how/why this spammer was crashing your server, and whether intercepting/rejecting the messages using that regex rule will actually fix anything. It appears from the description that sendmail is detecting "unknown user" before it even tries to apply the regex rules.

How fast was this guy trying to send the mails? Were they using lots of simultaneous connections? What was the actual cause of the server crash? Or did it just get bogged down, and not really crash?

Without those answers, pursuing the regex solution may not help you when this happens again.

Will

Seems to me, you just want to block dictionary attacks. Look here:
http://www.configserver.com/free/eximdeny.html

Thank you for your suggestion.

It is not a simple dictionary attack. They prove the existence of users in the same way that a "Dictionary Attacks", but each intent comes from a different IP. Also, they make 4 or 5 intents per second.

How are they able to use an different IP origin each time, and so many times per second?

Why, if you check your logs, there only appears the same IP's, and you can't find other trace that can be blocked?

JFrech