Top Nav

Archive | Email

Mitigate Exim Random Data DDOS

Used the following to mitigate a denial of service against a customer on Cpanel with Exim. The attack consists of connections to port 25, where they send binary garbage rather than SMTP protocol. It ends up filling the exim logs with binary junk, and otherwise wasting resources. 

This is taken from http://forums.cpanel.net/f185/sustained-exim-attack-syntax-errors-mitigation-measures-338792.html.

1) Add the following lines in the middle of /etc/csf/regex.custom.pm:

Some variation may be needed, depending on the exact format of the log entries. See the notes in the source URL above for more details on that.

2) Modify /etc/csf/csf.conf, change these settings:


3) Apply the changes:


4) Activity can be monitored with this command:
0

OpenDKIM

Here’s a great article on DKIM:

http://www.howtoforge.com/set-up-dkim-domainkeys-identified-mail-working-with-postfix-on-centos-using-opendkim

To quote one of our engineers:

Just an FYI about DKIM – this has matured since we started setting it up for customers a couple of years ago. The software is now “OpenDKIM”, available on the EPEL repository.

There’s a HowTo for setting it up at the URL below. It’s correct, except that it assumes a source install, rather than installing opendkim from yum. The other details are all good and useful (opendkim configuration, postfix integration, DNS setup).

0

Exim Mail Queue Cleanup

How to remove all messages in an Exim queue (on a cPanel server, for example) from or to a specific user:

  1. SSH into the server as root
  2. To delete all from a specific address:
  3. To delete all to a specific address:

Other useful selection criteria (replace the “-f user@domain” or “-t user@domain” options):
-y Message younger than
-o Message older than
-z Frozen messages only (exclude non-frozen)
-x Non-frozen messages only (exclude frozen)

0

Log Email Senders

Often hackers will use a compromised website to sent large amounts of spam email. On a shared server with many websites, it can be hard to tell which site and script is sending the spam. Here’s a procedure for Qmail that will (a) add a header with the script path and (b) create a log file of senders.

1. Create file at /var/qmail/bin/sendmail-wrapper with the following contents:

2. Set permissions on wrapper:

3. Move sendmail binary

4. Symlink the wrapper into place:

The log file will be create at /tmp/mail.send.

1

Plesk 10 Greylist Problems

Recently on several Plesk 10 servers we’ve had users complain that they could not receive email from various domains. Upon investigation we found that the domains were all hosted on Microsoft’s Exchange email service. The bounce messages received by the sender were from bigfish.com and the source address in the server mail logs was a host in messaging.microsoft.com.

We found log entries like this:

So the greylist filter in Plesk 10 is blocking server that are on “dsl|pool|broadband|hsd” address ranges. In this case it would be Microsofts cloud anti-spam service that is on “pool” addresses.

From the Plesk control panel there are very few settings for the greylist filter – you can turn the filter on/off and manage white/black list entries. But there are no options to configure the filtering rules. After some digging at the command line I found this:

This plesk utility give a listing of the configuration for the greylist filter and provides options for configuring the greylist:

Here’s a sample of the info output:

Notice that the server admin tried to whitelist the “@bigfish.com” but it did not work because the “black domain patterns list takes precedent.

Now to solve the problem of mail from *.messaging.microsoft.com we can just add another “white domains pattern list” like this:

And now the email from Microsoft hosted domains should be delivered without error.

Here’s a Parallels Knowledgebase Article on this subject:

How to configure Greylisting

And here’s a thread on Serverfault that got me on the right track:

e-mail gets rejected – bigfish.com error

4