Archive | Email

Mitigate Exim Random Data DDOS

By leerb on October 31, 2013 in Exim

Used the following to mitigate a denial of service against a customer on Cpanel with Exim. The attack consists of connections to port 25, where they send binary garbage rather than SMTP protocol. It ends up filling the exim logs with binary junk, and otherwise wasting resources.

This is taken from http://forums.cpanel.net/f185/sustained-exim-attack-syntax-errors-mitigation-measures-338792.html.

1) Add the following lines in the middle of /etc/csf/regex.custom.pm:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\d+\D+\d+\D+\d+ \d+\D+\d+\D+\d+ SMTP call from.*\[(\d+\.\d+\.\d+\.\d+)\]:\d+ I=\[(\d+\.\d+\.\d+\.\d+)\]:\d+ dropped: too many syntax or protocol errors/)) {
   return ("Failed exim syntax from","$1","eximdosmatch","2","25,143","1");
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\d+\D+\d+\D+\d+ \d+\D+\d+\D+\d+ SMTP call from.*\[(\d+\.\d+\.\d+\.\d+)\]:\d+ I=\[(\d+\.\d+\.\d+\.\d+)\]:\d+ dropped: too many syntax or protocol errors/)) {

return ("Failed exim syntax from","$1","eximdosmatch","2","25,143","1");

}

Some variation may be needed, depending on the exact format of the log entries. See the notes in the source URL above for more details on that.

2) Modify /etc/csf/csf.conf, change these settings:

 LF_EMAIL_ALERT = "0"
 LF_PERMBLOCK_ALERT = "0"
 CUSTOM1_LOG = "/var/log/exim_mainlog"

LF_EMAIL_ALERT = "0"

LF_PERMBLOCK_ALERT = "0"

CUSTOM1_LOG = "/var/log/exim_mainlog"

3) Apply the changes:

/etc/init.d/lfd restart ; csf -r

1	/etc/init.d/lfd restart ; csf -r

4) Activity can be monitored with this command:

tail -f /var/log/lfd.log

1	tail -f /var/log/lfd.log

OpenDKIM

By leerb on October 23, 2013 in Email

Here’s a great article on DKIM:

http://www.howtoforge.com/set-up-dkim-domainkeys-identified-mail-working-with-postfix-on-centos-using-opendkim

To quote one of our engineers:

Just an FYI about DKIM – this has matured since we started setting it up for customers a couple of years ago. The software is now “OpenDKIM”, available on the EPEL repository.

There’s a HowTo for setting it up at the URL below. It’s correct, except that it assumes a source install, rather than installing opendkim from yum. The other details are all good and useful (opendkim configuration, postfix integration, DNS setup).

Exim Mail Queue Cleanup

By admin on October 11, 2013 in Exim

How to remove all messages in an Exim queue (on a cPanel server, for example) from or to a specific user:

SSH into the server as root
To delete all from a specific address:

exiqgrep -i -f user@domain.com | xargs exim -Mrm

1

exiqgrep -i -f user@domain.com | xargs exim -Mrm
To delete all to a specific address:

exiqgrep -i -t user@domain.com | xargs exim -Mrm

1

exiqgrep -i -t user@domain.com | xargs exim -Mrm

Other useful selection criteria (replace the “-f user@domain” or “-t user@domain” options):
-y Message younger than
-o Message older than
-z Frozen messages only (exclude non-frozen)
-x Non-frozen messages only (exclude frozen)

Log Email Senders

By leerb on November 10, 2012 in Email, QMail

Often hackers will use a compromised website to sent large amounts of spam email. On a shared server with many websites, it can be hard to tell which site and script is sending the spam. Here’s a procedure for Qmail that will (a) add a header with the script path and (b) create a log file of senders.

1. Create file at /var/qmail/bin/sendmail-wrapper with the following contents:

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

1 2	#!/bin/sh (echo X-Additional-Header: $PWD ;cat) \| tee -a /var/tmp/mail.send\|/var/qmail/bin/sendmail-qmail "$@"

2. Set permissions on wrapper:

chmod 755 /var/qmail/bin/sendmail-wrapper

1	chmod 755 /var/qmail/bin/sendmail-wrapper

3. Move sendmail binary

cp /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail

1	cp /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail

4. Symlink the wrapper into place:

ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

1	ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

The log file will be create at /tmp/mail.send.

Plesk 10 Greylist Problems

By leerb on March 16, 2012 in Email, Plesk

Recently on several Plesk 10 servers we’ve had users complain that they could not receive email from various domains. Upon investigation we found that the domains were all hosted on Microsoft’s Exchange email service. The bounce messages received by the sender were from bigfish.com and the source address in the server mail logs was a host in messaging.microsoft.com.

We found log entries like this:

Mar 16 09:06:42 cloud1 qmail-queue-handlers[25914]: to=test@technicorp.net
Mar 16 09:06:42 cloud1 greylisting filter[25916]: Starting greylisting filter...
Mar 16 09:06:42 cloud1 greylisting filter[25916]: list type: black, from: db3outboundpool.messaging.microsoft.com, match string: dsl|pool|broadband|hsd
Mar 16 09:06:42 cloud1 qmail-queue-handlers[25914]: handlers_stderr: REJECT
Mar 16 09:06:42 cloud1 qmail-queue-handlers[25914]: REJECT during call 'grey' handler

Mar 16 09:06:42 cloud1 qmail-queue-handlers[25914]: to=test@technicorp.net

Mar 16 09:06:42 cloud1 greylisting filter[25916]: Starting greylisting filter...

Mar 16 09:06:42 cloud1 greylisting filter[25916]: list type: black, from: db3outboundpool.messaging.microsoft.com, match string: dsl|pool|broadband|hsd

Mar 16 09:06:42 cloud1 qmail-queue-handlers[25914]: handlers_stderr: REJECT

Mar 16 09:06:42 cloud1 qmail-queue-handlers[25914]: REJECT during call 'grey' handler

So the greylist filter in Plesk 10 is blocking server that are on “dsl|pool|broadband|hsd” address ranges. In this case it would be Microsofts cloud anti-spam service that is on “pool” addresses.

From the Plesk control panel there are very few settings for the greylist filter – you can turn the filter on/off and manage white/black list entries. But there are no options to configure the filtering rules. After some digging at the command line I found this:

/usr/local/psa/bin/grey_listing --info-server

1	/usr/local/psa/bin/grey_listing --info-server

This plesk utility give a listing of the configuration for the greylist filter and provides options for configuring the greylist:

/usr/local/psa/bin/grey_listing -h

Usage: grey_listing command [options]
    Available commands:
    --update-mailname or -um &lt;mail@domain>
                                       updates the grey listing configuration
                                       for existing mail user
    --update-domain or -ud  &lt;domain>   updates the grey listing configuration
                                       for existing domain
    --update-server or -u              updates the grey listing server-wide
                                       settings
    --info-mailname or -im &lt;mail@domain>
                                       retrieves grey listing settings for
                                       given mailname
    --info-domain or -id   &lt;domain>    retrieves grey listing settings for
                                       given domain
    --info-server or -i                retrieves server wide grey listing
                                       settings
    --help or -h                       displays this help page

    Available options:
    -status            &lt;on|off>        enable/disable grey listing. Used with
                                       --update-domain or with
                                       --update-server command
    -personal-conf     &lt;true|false>    allows or prohibits personal grey
                                       listing configuration for users. Used
                                       only with --update-server command.
    -grey-interval     &lt;number>        updates grey interval value (in
                                       minutes). Used only with
                                       --update-server command
    -expire-interval   &lt;number>        updates expire interval value (in
                                       minutes). Used only with
                                       --update-server command
    -penalty-interval  &lt;number>        updates penalty interval value (in
                                       minutes). Used only with
                                       --update-server command
    -penalty-status    <true|false>    enable/disable penalties for server.
                                       Used only with --update-server command
    -blacklist &lt;add|del>:&lt;pattern1[,pattern2]>;...
                                       adds, deletes e-mail(s) pattern of
                                       black list shared with spamassassin.
                                       Used with --update-mailname or with
                                       --update-server command
    -whitelist &lt;add|del>:&lt;pattern1[,pattern2]>;...
                                       adds, deletes e-mail(s) pattern of
                                       white list shared with spamassassin.
                                       Used with --update-mailname or with
                                       --update-server command
    -domains-whitelist &lt;add|del>:&lt;pattern1[,pattern2]>;...
                                       adds, deletes domains pattern of white
                                       list. Used only with  --update-server
                                       command
    -domains-blacklist &lt;add|del>:&lt;pattern1[,pattern2]>;...
                                       adds, deletes domains pattern of black
                                       list. Used only with  --update-server
                                       command

/usr/local/psa/bin/grey_listing -h

Usage: grey_listing command [options]

Available commands:

--update-mailname or -um <mail@domain>

updates the grey listing configuration

for existing mail user

--update-domain or -ud <domain> updates the grey listing configuration

for existing domain

--update-server or -u updates the grey listing server-wide

settings

--info-mailname or -im <mail@domain>

retrieves grey listing settings for

given mailname

--info-domain or -id <domain> retrieves grey listing settings for

given domain

--info-server or -i retrieves server wide grey listing

settings

--help or -h displays this help page

Available options:

-status <on|off> enable/disable grey listing. Used with

--update-domain or with

--update-server command

-personal-conf <true|false> allows or prohibits personal grey

listing configuration for users. Used

only with --update-server command.

-grey-interval <number> updates grey interval value (in

minutes). Used only with

--update-server command

-expire-interval <number> updates expire interval value (in

minutes). Used only with

--update-server command

-penalty-interval <number> updates penalty interval value (in

minutes). Used only with

--update-server command

-penalty-status <true|false> enable/disable penalties for server.

Used only with --update-server command

-blacklist <add|del>:<pattern1[,pattern2]>;...

adds, deletes e-mail(s) pattern of

black list shared with spamassassin.

Used with --update-mailname or with

--update-server command

-whitelist <add|del>:<pattern1[,pattern2]>;...

adds, deletes e-mail(s) pattern of

white list shared with spamassassin.

Used with --update-mailname or with

--update-server command

-domains-whitelist <add|del>:<pattern1[,pattern2]>;...

adds, deletes domains pattern of white

list. Used only with --update-server

command

-domains-blacklist <add|del>:<pattern1[,pattern2]>;...

adds, deletes domains pattern of black

list. Used only with --update-server

command

Here’s a sample of the info output:

/usr/local/psa/bin/grey_listing --info-server
Grey listing configuration.

Grey listing checking  enabled
Grey interval          5 minutes
Expire interval        51840 minutes
Penalty interval       2 minutes
Penalty                disabled
Personal grey listing
configuration          allowed

Server-wide black list:
 *@somedomain.com

Server-wide white list:
 *@bigfish.com

White domains patterns list:
 *google.com
 *mail.ru
 *parallels.com
 *rambler.ru
 *yahoo.com
 *yandex.ru

Black domains patterns list:
 *[0-9][0-9]-[0-9][0-9]-[0-9][0-9]*
 *[0-9][0-9].[0-9][0-9].[0-9][0-9]*
 *[0-9][0-9][0-9]-[0-9][0-9][0-9]-[0-9][0-9][0-9]*
 *[0-9][0-9][0-9].[0-9][0-9][0-9].[0-9[0-9]][0-9]*
 dsl|pool|broadband|hsd
 dynamic|static|ppp|dyn-ip|dial-up

SUCCESS: Gathering of server wide information complete.

/usr/local/psa/bin/grey_listing --info-server

Grey listing configuration.

Grey listing checking enabled

Grey interval 5 minutes

Expire interval 51840 minutes

Penalty interval 2 minutes

Penalty disabled

Personal grey listing

configuration allowed

Server-wide black list:

*@somedomain.com

Server-wide white list:

*@bigfish.com

White domains patterns list:

*google.com

*mail.ru

*parallels.com

*rambler.ru

*yahoo.com

*yandex.ru

Black domains patterns list:

*[0-9][0-9]-[0-9][0-9]-[0-9][0-9]*

*[0-9][0-9].[0-9][0-9].[0-9][0-9]*

*[0-9][0-9][0-9]-[0-9][0-9][0-9]-[0-9][0-9][0-9]*

*[0-9][0-9][0-9].[0-9][0-9][0-9].[0-9[0-9]][0-9]*

dsl|pool|broadband|hsd

dynamic|static|ppp|dyn-ip|dial-up

SUCCESS: Gathering of server wide information complete.

Notice that the server admin tried to whitelist the “@bigfish.com” but it did not work because the “black domain patterns list takes precedent.

Now to solve the problem of mail from *.messaging.microsoft.com we can just add another “white domains pattern list” like this:

/usr/local/psa/bin/grey_listing --update-server -domains-whitelist "add:*messaging.microsoft.com"

1	/usr/local/psa/bin/grey_listing --update-server -domains-whitelist "add:*messaging.microsoft.com"

And now the email from Microsoft hosted domains should be delivered without error.

Here’s a Parallels Knowledgebase Article on this subject:

How to configure Greylisting

And here’s a thread on Serverfault that got me on the right track:

e-mail gets rejected – bigfish.com error

1 2 … 8 Next →

Need help immediately?

$100/hour
Satisfaction Guaranteed

Top Nav

Navigation

Archive | Email

Mitigate Exim Random Data DDOS

OpenDKIM

Exim Mail Queue Cleanup

Log Email Senders

Plesk 10 Greylist Problems