Getting Hammered by Bots !

[LeMarque]

Any of you using CSF have seen these alerts:

Time: Mon Feb 24 14:46:54 2014 -0700

IP: 27.251.177.239 (IN/India/abs-static-239.177.251.27.aircel.co.in)
Failures: 5 (smtpauth)
Interval: 300 seconds
Blocked: Temporary Block

Log entries:

2014-02-24 14:46:00 dovecot_login authenticator failed for ([192.168.2.33]) [27.251.177.239]:52469: 535 Incorrect authentication data (set_id=admin)
2014-02-24 14:46:06 dovecot_login authenticator failed for ([192.168.2.33]) [27.251.177.239]:52469: 535 Incorrect authentication data (set_id=admin)
2014-02-24 14:46:16 dovecot_login authenticator failed for ([192.168.2.33]) [27.251.177.239]:52469: 535 Incorrect authentication data (set_id=admin)
2014-02-24 14:46:33 dovecot_login authenticator failed for ([192.168.2.33]) [27.251.177.239]:52469: 535 Incorrect authentication data (set_id=admin)
2014-02-24 14:46:50 dovecot_login authenticator failed for ([192.168.2.33]) [27.251.177.239]:52469: 535 Incorrect authentication data (set_id=admin)

My VPS is used for less than a handful of my domains and only ONE is a live site.
Well over the last couple of weeks I must have been 'hit' a thousand times. So a question ...

How can I tell which domain is being attacked?
Why are they doing this
And are 'they' just hitting "webmail.domain.com" or using some other technique.

Thanks in advance.

 

[Dan]

Hi LeMarque,

How can I tell which domain is being attacked?

Normally it shows who they are trying to log in as, I've never actually seen that failure message before.

Why are they doing this

They're trying to do it so they can send out spam from your users' accounts.

And are 'they' just hitting "webmail.domain.com" or using some other technique.

I can't say for sure but I would guess they have some script/program that just just click the "Go" button and it tries a bunch of different email accounts and passwords. You can see that the failures were 'smtpauth' so I'd say they were simply trying to connect and send the mail.

You could set the CSF option "LF_SMTPAUTH_PERM" to 1 to permanently block them rather than temporarily. Although this isn't a true permanent block, it's a rolling block for up to 100 IPs, but it would still be longer than a temporary block which is typically only 5 minutes.

 

[Fred]

I have also seen a huge increase in this type of attack lately.
I have my CSF option set to permanently block the last 100 IP's and usually it worked to mitigate the attack, but not this time.
It's been ongoing for about 2 weeks now.

 

[Bradley]

Join the club. I have been getting hammered by bots for the last couple of month with no end in sight. CSF is having a hard time keeping up and I have got to the point of turning services off trying to discourage these lame brains.

 

[Fred]

What I have done it to permanently block the offending IP after 2 hits. You run the risk of blocking a client that is having issues connecting to email but I think it is worth the risk. That means they need to cycle the bots more quickly.

It went down to virtually nothing the last week.
And so far no unhappy clients...

 

[Bradley]

Actually I shouldn't call them bots, maybe virus infected zombie computers from all over the world would be more appropriate. Mail is the least of my troubles however ftp hacking has got to the point of me disabling the service

 

[JayMat]

Not everyone likes the idea.. as there is a cost.. but at this point I tend to weigh advantages of time gained back versus money left from pocket. Spending the time having to deal with these types of attacks just leaves one drained and completely spent mentally. I tend to offer webmail as a third party hosted service. In my opinion there are too many vulnerabilities that can occur with server attached mail. Rackspace is certainly a good source.. not to mention, you acquire so many people to hop on the system and after $150 USD you can convert to a whitelabled reseller system. Worth it in the long run and if you stick with it as you lower the price.. add more value to your services.. add more space for serious emailers (lifeblood of online business happens to be email.. takes away the headache of arrant attempts on your system.

I guess just throwing my opinion out there. It may help. Also, after so many attempts I tend to add the offending IP to HoneyPot for investigation.. not to mention actually adding a honeypot to every site is good practice.