Dictionary attack spamming on cpanel servers
Never again..It was bad and tough to fight against the Dictionary attack spamming. Either the server load will rise or
Dictionary attack
—————–
From wikipedia :
Spammers may also use a form of dictionary attack in order to harvest e-mail addresses. For example, a spammer may send messages to adam@example.com, betty@example.com, carl@example.com, etc. Any addresses to which messages are delivered, as opposed to being bounced back, the spammer can then add to his or her sending list.
My issue was that, the attacker was spamming the domain in such a way that in matter of seconds, the cPanel server, which had the setting of smtp_accept_max = 150 will show
Connection refused from [xx.xx.xx.xx] : too many connections
not allowing other legit customers to send and receive emails. The spammers were targetting only one domain and I didnt have to go for some automate application.
RBLs were not working as expected and had to end up using acl_smtp_connect (Exim 4.53), It was dropping after a connection is made.
acl_smtp_connect = check_host
Touched two files, /etc/eximwhites and /etc/eximblacks and just after begin acl, added this
check_host:
accept
hosts = /etc/eximwhites
deny
log_message = match eximblacks
hosts = /etc/eximblacks
accept
I could configure ACL to use the RBL in the connect, but 50% of many spammer IPs being used was not on any RBL lists. So executed two piped commands as below to start with,
For adding server Ips to white list
ifconfig | grep ‘inet addr’ | cut -d “:” -f 2 | cut -d ” ” -f 1 >> /etc/eximwhites
To add spammer’s IP to black list. Replace example.com with the domain under attack.
grep example.com /var/log/exim_mainlog | grep “rejected RCPT” | cut -d “[" -f 2 | cut -d "]” -f 1 | sort | uniq >> /etc/eximblacks