Results 1 to 8 of 8
  1. #1

    dictionary attack


    There is already a thread on this from a few days back, but I don't want to hijack that thread with my issue.

    Last month, we got a new customer, we'll say the domain is It's just a personal site, no scripts at all, just a few articles, etc.

    Anyway I've been noticing, at random times, exim has been putting a bit of load on the server. Not too much, but enough to make me uncomfortable. It has made the load go from 0.5 to 1.0 or so. Finally today I checked out what might be the problem. In /var/exim_mainlog, I saw entry after entry of mail being sent to non-existent users on I checked and at the time, there were 55 connections to port 25.

    Firstly, :fail: is set on all domains, and we have a script which blocks an IP address if it sends to a non-existent user so many times. It's working, but the attack switches to a different IP address every time one is blocked. I've blocked what I could but the IP's just keep changing.

    I can't see much else I can possibly do, so I'm up for any suggestions. thank goodness :fail: is set, and thank goodness we have that script to block IP addresses.

    It is the reason this customer switched to us; her previous host didn't try to do anything about the issue when she complained about hundreds of spam emails coming in.

    Anyway, any suggestions are greatly appreciated.


  2. #2
    Join Date
    Mar 2003
    California USA
    Steven Ciaburri | Proactive Linux Server Management -
    Managed Servers (AS62710), Server Management, and Security Auditing.

  3. #3
    That's exactly the script we have installed to take care of these kind of issues. Like I said, the issue is that the IP changes every time one is blocked.

  4. #4
    Join Date
    Aug 2002
    we have the same problem with a customer, he is under attack and in exim_mainlog i can see that he receive a lot of email for second on email account that not exist and my server load is always high!

  5. #5
    Originally posted by adapter
    we have the same problem with a customer, he is under attack and in exim_mainlog i can see that he receive a lot of email for second on email account that not exist and my server load is always high!
    Well, I do know it'd be much higher if accounts had :blackhole: for the default address rather than :fail:, so if for you it is really that high, that is, over 3, 4, etc, I'd check on that.

    For me the load isn't too high, though sometimes it does go up to about 1.2, so I'd like to get this taken care of.

    Right now things are settled down, it is only at 0.08. It seems to fluctuate, though.

    Even though it's low right now I can tell it is still occurring, because the last attempt happened at this very minute, so it is still occurring.

  6. #6
    Using :blackhole: can indeed set your load average through the roof if you're under dictionary attack. It can also cretae a nice big mail queue which will excaserbate the problem.

    If you do have a domain under dictionary attack on a cPanel server you really should:

    1. Make sure that the Default Alias is set to :fail:

    2. Setup any Forwarders that are used on the domain if it used to use the Default Alias

    3. Install a dictionary attack ACL:

    This should help greatly. And just incase you have the version of BFD which tries to do something similar but with your firewall, I'd strongly recommend disabling it:

    rm -fv /usr/local/bfd/rules/exim

    This is because a distributed dictionary attack will quickly fill your iptables up and create an even greater load on your server.

  7. #7
    Thanks for the tips Jonathan, though I think they apply more to adapter, since we already have these procautions in place. I'm glad we do, too, as I've said above.

    It is still occurring here, unfortunately, though not too badly right now.

  8. #8
    AFAIK, at this point all you can do is try the legal route. IE find out WHERE these emails are coming from, contact the host, and then write a C&D letter to be prepared to send out. CHANCES are it's some stupid script kiddy how got upset at this customer for some IDIOTIC reason.
    Game control panels - control your game world your way.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts