# Thread: Mail log gets wired-- Is it DDoS

1. Newbie
Join Date
Oct 2013
Posts
27

## Mail log gets wired-- Is it DDoS

Hi,

My mail logs are getting wired. Kindly find below some samples :

2013-10-30 01:02:12 SMTP connection from [86.97.167.249]:53207 I=[my server ip]:25 (TCP/IP connection count = 2)
2013-10-30 01:02:15 SMTP connection from [120.61.201.10]:22402 I=[my server ip]:25 (TCP/IP connection count = 3)
2013-10-30 01:02:16 SMTP syntax error in "\206\356\2451\005\306\211\254\371p\3719\360\0033\261\303f\363<\35368?\336)\243?\233\020eBNLdD\255\017\022GI\330BH&\237\362Is\004" H=triband-mum-120.61.201.10.mtnl.net.in [120.61.201.10]:22402 I=[my server ip]:25 unrecognized command
2013-10-30 01:02:16 SMTP syntax error in "KV\305\267M\357|zO\264\206'Q=\205tR\336\353\214T\027C\216U"2\030\317\224\313jZT\374\264[\272\264\343^\342\266^4\024\363b,\331.\335u\215\342g\247-1j \356p\3428Q\221\343\246R \360\375\260\313q\353\251\311r\322\377\330w<\222\367y;\306U|\305C\031~\256\261\270\177\301\005F\201d@\032\202\362\324\374\203\2533\223\205\026&\210\20 6\210.\217\207\254\260\204\211dT\325\222Q\037\006\214q\254\346\216\017r\025\221\223j\021\223}\227\332\224\215\376\357\226\205\211\322\230;\0366\232\26 7\255\026\240\256\203%\237\006\v\253\237\237m\302\240#j\300\241(\311\325\243\340]9\245\325\360\033\247\\376\365\035\037\347X\252\336\342\023\253Ry\370\254\362:%\257\v\232:\261E\025\253\265\307\021\251\266\222r?\270\006\030\021\271u >j\272>\251\265\273c" H=triband-mum-120.61.201.10.mtnl.net.in [120.61.201.10]:22402 I=[my server ip]:25 unrecognized command
2013-10-30 01:02:16 SMTP syntax error in "\210\276\374\301\266\300\3167\342\301\273\207d\[email protected]<_\332\304\305\006\033\302\306\305\245\263?\326\233\257A\247q\321\3131n\317\314Y\356C\317\217\17 7\245\321\354\370AR\274Y\330S\203]QWF\250\320\330\241r\202\331\241\031\247R,\211\262\235\350}=\343\216\035"\343\240|7\345c\252\376]\341\367\247\351\253g+\353r[\244\356\344\237:d8b\276\257V\252\265\3638\324\367\367\342\002B\371\220Y\330\373\367\264\353\376G\322\232u\221z\032\001w\331\254x\325\363\236\321}\316 #\bf\251\236~\326\f\266\177\342\212\230\201f\207\313\rV\375,\204\002\037G\321\2323q\025\341-\356\026yd\267\027g\212|\033\336\257\306\035k\006<\036\340\234 \0374\006W"\017>\241"\270\262\213\233\326\326\325\234\263\370\311'\303\263\370*\277\343\275-\212\241m0\254\006\004\246\304Z\307\374\207\32023v\322r\255\310\017\001\261\022D\316\262\275rM?\277kIA\4zB.$vE\376\204\fG\251\035\355H\335<\026J\322?5 L>\344u\303r\177\023\305\251\007\272\307KY\016\310e\311 \324\300\243\322\324\233\307\034\315\005\353OW\273\177\263X\021\326C]\356\234\363^\330\311\274g,\324a\334\302\270b\205\361\002d. Me"\201\343f\317\341yh\236B\020j{ \300km\006\276l\277?;n'1\006o\226b+\350>\217\364\351\314\353.tE{\017wz\2328x\220\265\237\357\250\347\266\373\f\021\200\364\352\032.\2026\037\253\202Aw A\205m\276\372\375\222\345 \210g<\353\210Q\325\252\001\320\302R\006\324"7\b\263\022\363\007\330\343\210\223t\254\271\224\340\325\243\016|\236\261\230\200\227\255\232{\323\211\03 61\270\357\237\300\032\007\241\252G\320\242Q\007\001\245\277\237\341\246\250\314\252\250\250\332\230!l\215\241\255r\271\037\256zl\333'w\261u(m\237\025 \264g\330\340\263w7\366\265" H=triband-mum-120.61.201.10.mtnl.net.in [120.61.201.10]:22402 I=[my server ip]:25 NULL character(s) present (shown as '?') 2013-10-30 01:02:18 SMTP connection from ([10.0.1.6]) [96.51.193.247]:45988 I=[my server ip]:25 closed by QUIT 2013-10-30 01:02:18 SMTP connection from [94.75.244.176]:59362 I=[my server ip]:25 (TCP/IP connection count = 3) 2013-10-30 01:02:21 1VbNv9-0005w6-Uw 2013-10-30 01:02:25 SMTP syntax error in "\312\371\274r\344\305\357rT\225\266\352\2253't\272\221"s\215\357\317\352 _D\351\307\367;sxapt\324]pt$_pt\324]Us\004^Us$_pt~\371\316sn+\243t\316 \317s\025*\210s\356)\210s>+\243tY*\210s\343\337\302th\352Pus\366\272sJ\366\272sL\366\272s\255+\033t/(\007t\002\206\264\353Z\365(\352/(\007t2(\007w|\315>u\351\216 !<\216 t\204\272t<\216 t\274\216 t(\270at\217\265 \350\311\036]ud\300lt\373\351\255tm\300lto\300ltX.\244ue\224\275u\224\275u\212\362\270t\227X\322t\032\255w\340\244\276\353t\246\276\353t\274\004n\352\225\031\233v \306\005\257\354\244Q\036u\257$\005u\204\202\262\354\236\345\313\354\322\214\036u\336\214\036u\240\222<v\236\222<v\313\3607u\371\276ju\345\274\353\352 \355\274ju\212\362\312u\212\362\312u\205\362\312u\377\210\235u\322\346Jv\f\357\367u \361\266v\234\342LwN\033\367u Kfw\3304[\341*\253\177w$\273\351u\322\257\177w'\273\351u\246\377\216\3534!\003v3!\204\353\033)!w\304{\262w\267\214\263\353\200\214\303\353 \342\313w\333" H=[41.76.168.10]:47937 I=[my server ip]:25 unrecognized command I receive this while I take the mail log #tail -f /var/log/exim_mainlog This is a webhosting server with centOS in it. We use exim. Is this a part of DDoS attach. I have checked and confirmed that the IP's change every time. I had contacted DC, But their DDoS protection IP filtering is some thing that I cannot afford now. Now I created a cron fob to execute the following command netstat -an | grep :25 | grep 'TIME_WAIT' | sort | awk '{print$5}' | awk -F ":" '{print \$1}' | grep -v 0.0.0.0 | grep -v 127.0.0.1 |xargs -I {} csf -d {}
But I know this is not going to help as the IP's change all the second. Any advice to stop this...

2. Aspiring Evangelist
Join Date
Dec 2011
Location
Tulsa, OK
Posts
353
Looks like someone is opening couple connections at a time and initiating a bunch of random commands on your server. For now drop all traffic on 25 and secure your server. What mail server are you running (postfix/exim/sendmail)?

Are any other services being affected?

3. Disabled
Join Date
Mar 2007
Posts
363
It's more of a hacking attempt I think.
If it was DDoS - it would take your "mail server" down completely.

4. Newbie
Join Date
Oct 2013
Posts
27
Thanks for the update
We are using Exim as the mail service. The service is up and running fine. Is there any possible way to fix this.

5. Junior Guru
Join Date
Feb 2012
Posts
238
Hi,

As @ocosa said "For now drop all traffic on 25 and secure your server."
Implement a Firewall to port filtering , CSF, Fail2BAN

6. Newbie
Join Date
Oct 2013
Posts
27
We have CSF already been installed....
We tried Dropping the port 25.. The attack was stopped for the time.. But as soon as we re-enabled the port the attack restarted.
This is a web hosting server.. So Dropping the port 25 permanently is somthing not possible

7. Newbie
Join Date
Oct 2013
Posts
27
Is there any way I could filter this logs from the log file although its not the correct resolution for the issue

8. Johnny Cache
Join Date
Nov 2002
Location
Portland, Oregon
Posts
2,948
PHP Code:
 # exigrep "syntax" /var/log/exim_rejectlog | exigrep "error" /var/log/exim_mainlog | less  
^^ this will at least give you a chance to filter out the legits and focus more on the errors you've been receiving lately.

This almost reminds me of what happens when SAV is enabled and got hit with a bunch of bounces/deflects, creating backscatter. Do you have "Sender Verification Callouts" (a bit different from the standard "Sender Verification") enabled in your Exim configs?

You can configure CSF to permblock an I.P. after a certain amount of errors. You can also set CSF to send an X-ARF (Abuse Reporting Format) report to the email of your choice when the flag is triggered.

I've included the area of csf.conf to enable X-ARF as well as an example I got last night.

PHP Code:
 # sending of X-ARF reports (see http://www.x-arf.org/specification.html). OnlyX_ARF = "1"X_ARF_FROM = "[email protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */"X_ARF_TO = "[email protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */"  

Example:

The IP address 94.197.120.21 (GB/United Kingdom/94.197.120.21.threembb.co.uk) was found attacking eximsyntax on xenotron.***.com 1 times in the last 3600 seconds.

Attached is an X-ARF report (see http://www.x-arf.org/specification.html) and the original log report that triggered this block.

Reported-From: [email protected]***.com
Report-ID: [email protected]***.com
Category: abuse
Service: eximsyntax
User-Agent: csf v6.36
Date: 2013-11-01T15:42:58-0700
Source: 94.197.120.21
Source-Type: IPv4
Attachment: text/plain
Schema-URL: http://www.x-arf.org/schema/abuse_lo...ack_0.1.0.json

2013-11-01 15:42:55 SMTP call from 94.197.120.21.threembb.co.uk [94.197.120.21]:47710 dropped: too many syntax or protocol errors (last command was "?g?k?3?9???1??????xenotron.***.com?")

9. Newbie
Join Date
Oct 2013
Posts
10

## is that a software ?

let me know if i can download logfile of my emails ?

10. Newbie
Join Date
Oct 2013
Posts
27
I am not sure what you are looking for.
You could find the mail log at /var/log/exim_mainlog for exim.
You could grep with the required mail id
cat /var/log/exim_mainlog | grep '<mail id>'

Sorry if you were not looking for this

Regards,

11. Junior Guru Wannabe
Join Date
Dec 2009
Posts
58
I'm getting hit with a similar attack right now. Definitely have seen an increase in distributed attacks lately. There are some large botnets out there. They aren't denial of service (though this exim attack is significantly increasing my server load) but for a month now I've been experiencing a distributed POST flood that doesn't let up. This exim attack is yet another distributed attack.

12. Johnny Cache
Join Date
Nov 2002
Location
Portland, Oregon
Posts
2,948
How often do those messages repeat? It's been a while since I've seen one but there were a few times that I'd send an email from my smartphone (blackberry at the time) and I'd get encrypted syntax errors in my exim log like that. There may be something to change in your mail server configs. Have you made any specific adjustments to the Exim configuration?

13. Junior Guru Wannabe
Join Date
Dec 2009
Posts
58
for me I was getting them every few seconds.

14. Newbie
Join Date
Oct 2013
Posts
27
Originally Posted by jfnllc
How often do those messages repeat? It's been a while since I've seen one but there were a few times that I'd send an email from my smartphone (blackberry at the time) and I'd get encrypted syntax errors in my exim log like that. There may be something to change in your mail server configs. Have you made any specific adjustments to the Exim configuration?

No recent changes have been made on the exim configuration file.We had it configured by cPanel. The logs are repeating within seconds.

15. Newbie
Join Date
Oct 2013
Posts
27
Now I think the attackers are into the act.. I now need about 20 min's for logging into the server. But server load seems to be normal. But for ssh login it takes about 20 mins.

16. Johnny Cache
Join Date
Nov 2002
Location
Portland, Oregon
Posts
2,948
I suppose you could stop Exim once you've logged in and see if things stabilize. I'd be cranking up the firewall then, to block the IPs with the cryptic syntax and send an X-ARF like I mentioned in my example. Should at least then start to filter out. You could also kick it up to cPanel support and see what they have to say.

#### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•