Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » directory harvest attack
  •  
ottavio

Messages: 5
Karma: 0
Send a private message to this user
Hi,
we are under this kind of attack,
the ip address 192.168.1.99 is our firewall so we cannot tell which is the real attacking IP
-our email flow is very slow, some users do not receive any email neither internally nor externally.
-we dont relay through our SMTP server
-if we restart the server we get 20 minutes where the email flow is fine, but then in the security log we get the same issue again,



[02/Jul/2007 18:32:38] Failed POP3 login from 192.168.1.99
[02/Jul/2007 18:32:44] Last message repeated 3 times
[02/Jul/2007 18:33:06] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:33:14] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:33:33] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:33:38] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:33:44] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:33:51] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:33:59] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:34:04] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:34:10] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:34:14] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:34:16] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:34:21] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:34:21] Failed POP3 login from 192.168.1.99
[02/Jul/2007 18:34:44] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:34:46] SMTP connection from 192.168.1.99 rejected: directory harvest attack
[02/Jul/2007 18:34:46] SMTP connection from 192.168.1.99 rejected: directory harvest attack

MCSE, CISSP
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
You must surely be able to check the originating IP on the firewall and block it there... That's your only option.

(Besides making sure every account on your mail server has a password and that all passwords are strong. This will prevent the directory harvest attack from being successful [in the long run].)
  •  
ottavio

Messages: 5
Karma: 0
Send a private message to this user
hi mate,
thanks for the answer
unfortunately on my firewall i can see:

Total Number of Sessions: 201
Protocol From IP From Port To IP To Port Expire(secs) Clear
tcp 216.9.253.143 40850 89.202.181.168 110 30
tcp 192.168.1.74 1299 195.39.55.10 80 0
udp 192.168.1.168 4115 212.23.32.70 53 169
udp 192.168.1.168 4107 212.23.32.70 53 146
udp 192.168.1.168 4099 212.23.32.70 53 136
tcp 82.89.217.242 2095 89.202.181.168 110 113
tcp 192.168.1.74 1335 192.168.1.99 443 3599
udp 192.168.1.74 1329 212.23.32.70 53 83
tcp 82.89.217.242 3063 89.202.181.168 110 26
udp 192.168.1.167 3930 212.23.32.70 53 170
udp 192.168.1.168 4059 212.23.32.70 53 38
tcp 192.168.1.9 4825 89.202.181.168 110 109
tcp 195.14.187.57 2091 89.202.181.168 25 34
udp 192.168.1.167 3922 212.23.32.70 53 137
udp 192.168.1.168 4051 212.23.32.70 53 29
tcp 68.202.177.191 27297 89.202.181.167 25 19
udp 192.168.1.167 3914 212.23.32.70 53 61
udp 192.168.1.168 4043 212.23.32.70 53 17
udp 192.168.1.168 4091 212.23.32.70 53 113
udp 192.168.1.168 4083 212.23.32.70 53 85

ab
d for example this entry looks bad:

tcp 76.168.149.56 4562 89.202.181.167 25 67


investigating it further :

C:\Documents and Settings\Ottavio>nslookup 76.168.149.56
Server: ns-cache0.lon.interoute.net
Address: 212.23.32.70

Nome: cpe-76-168-149-56.socal.res.rr.com
Address: 76.168.149.56

BUT i have many entries of this kind,
so i don't know what to do Sad


MCSE, CISSP
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Turn off the directory harvest protection. You can't use it if you have a gateway, or firewall relaying mail into the network. It causes every incoming message to show the IP as your gateway, and cause the problem you are seeing.

You might not even really be getting a directory harvest attack. It could just be a spammer sending mail to your users from hundreds of IPs, or using an address at your domain as the return address. Either one will cause lots of mail to come at you from many IPs, but Kerio only sees your gateway/firewall and blocks it.

[Updated on: Mon, 02 July 2007 19:42]


Scott
  •  
feuser

Messages: 6
Karma: 0
Send a private message to this user
Your problem i really the firewall. Most measures against spam and abuse - whether on a Kerio Mailserver or other - require IP information of the connecting host or relaying server.

You need to configure your firewall to keep the original source and not re-write the packets. What brand/model of firewall are you using?

Previous Topic: email monitoring
Next Topic: iSync Connector problem (iCal)
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 25 01:19:46 CET 2017

Total time taken to generate the page: 0.00391 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.