Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Mailserver getting hacked. need help
  •  
buzz

Messages: 2
Karma: 0
Send a private message to this user
Ok so i have a major problems
first of im getting seriuosly spammed with Failed SMTP logins
like 2-3 attempts EVERY second. from diffrent ips all over the world. ive just deleted over 400 000 messeges queuing.

im only using the webmail with my mailserver for me and my family.
so cant i get rid of all these ppl trying to smtp logins?

and what to do with all these spammers? my computer realy doesnt like it.

the changes ive made is :
directory harvest attack set to : 1
max number of messages per hour set to :2
max number of smtp connections to 1

in my logs under mail i have millions of these lines
[11/Jan/2011 04:58:09] DSN: From: <>, To: <botkrx<_at_>yahoo.com.tw>, Size: 4003, Report: failed
[11/Jan/2011 04:58:09] DSN: From: <>, To: <botkrx<_at_>yahoo.com.tw>, Size: 3818, Report: failed
[11/Jan/2011 04:58:09] DSN: From: <>, To: <botkrx<_at_>yahoo.com.tw>, Size: 3988, Report: failed
[11/Jan/2011 04:58:09] DSN: From: <>, To: <botkrx<_at_>yahoo.com.tw>, Size: 3780, Report: failed
[11/Jan/2011 04:58:09] DSN: From: <>, To: <botkrx<_at_>yahoo.com.tw>, Size: 4048, Report: failed
[11/Jan/2011 04:58:09] DSN: From: <>, To: <botkrx<_at_>yahoo.com.tw>, Size: 3901, Report: failed
[11/Jan/2011 04:58:09] DSN: From: <>, To: <botkrx<_at_>yahoo.com.tw>, Size: 3811, Report: failed
[11/Jan/2011 04:58:09] DSN: From: <>, To: <botkrx<_at_>yahoo.com.tw>, Size: 1991, Report: failed

its always something with <_at_>yahoo.com.tw

under security i have also millions of these
[11/Jan/2011 06:51:06] Failed SMTP login from 95.177.117.1
[11/Jan/2011 06:51:10] Failed SMTP login from 116.14.116.133
[11/Jan/2011 06:51:16] Failed SMTP login from 189.70.241.214
[11/Jan/2011 06:51:17] Failed SMTP login from 75.146.12.101
[11/Jan/2011 06:51:42] Failed SMTP login from 88.61.92.186
[11/Jan/2011 06:51:44] Failed SMTP login from 95.225.224.136
[11/Jan/2011 06:51:47] Failed SMTP login from 202.146.225.79
[11/Jan/2011 06:52:02] Failed SMTP login from 58.185.113.149
[11/Jan/2011 06:52:09] Failed SMTP login from 60.54.195.34
[11/Jan/2011 06:52:12] Failed SMTP login from 70.184.39.137

its not even the same ip twice ever.

under warning i getting brute forced

[03/Jan/2011 20:07:12] POP3: User java<_at_>my.dns doesn't exist. Attempt from IP address 66.77.152.23.
[03/Jan/2011 20:07:12] POP3: User 123456<_at_>my.dns doesn't exist. Attempt from IP address 66.77.152.23.
[03/Jan/2011 20:07:12] POP3: User remote<_at_>my.dns doesn't exist. Attempt from IP address 66.77.152.23.
[03/Jan/2011 20:07:12] POP3: User backup<_at_>my.dns doesn't exist. Attempt from IP address 66.77.152.23.
[03/Jan/2011 20:07:12] POP3: User sales<_at_>my.dns doesn't exist. Attempt from IP address 66.77.152.23.
[03/Jan/2011 20:07:12] POP3: User postgres<_at_>my.dns doesn't exist. Attempt from IP address 66.77.152.23.
[03/Jan/2011 20:07:12] POP3: Invalid password for user test<_at_>my.dns. Attempt from IP address 66.77.152.23
[03/Jan/2011 20:07:12] POP3: User web<_at_>my.dns doesn't exist. Attempt from IP address 66.77.152.23.
[03/Jan/2011 20:07:13] POP3: User sandra<_at_>my.dns doesn't exist. Attempt from IP address 66.77.152.23.
[03/Jan/2011 20:07:13] POP3: User root<_at_>my.dns doesn't exist. Attempt from IP address 66.77.152.23.

some one just trying every possible name in the world

and its diffrent ips from all over the world here to.

the mailserver i use is version 6.x

[Updated on: Tue, 11 January 2011 08:23]

  •  
marcin_rybak

Messages: 12
Karma: 0
Send a private message to this user
maybe add a delay from hosts that aren't in your known IP adressess?
  •  
My IT Indy

Messages: 1262
Karma: 40
Send a private message to this user
Get a good firewall with snort or some other IDS?

-
My IT Indy
Kerio Certified Reseller and Hosted Provider
http://www.myitindy.com
  •  
elias

Messages: 114
Karma: 0
Send a private message to this user
buzz wrote on Mon, 10 January 2011 22:11
ive just deleted over 400 000 messeges queuing.

and what to do with all these spammers? my computer realy doesnt like it.

Um, why did your server queue 400,000 messages? The SMTP login attempts are relatively harmless as long as you and your family use good passwords, but accepting that volume of mail is a much larger problem.

-Elias
  •  
matti763

Messages: 27
Karma: 0
Send a private message to this user
Your queue from "nobody" to some other domain is not sign of hacked mailserver. It seems to be backscatter junkmail. You cannot really block it, because it is based on SMTP protocol standart behavior.

You can contact to Kerio support if they have some custom filter to prevent this.
  •  
elias

Messages: 114
Karma: 0
Send a private message to this user
matti763 wrote on Tue, 11 January 2011 13:02
Your queue from "nobody" to some other domain is not sign of hacked mailserver. It seems to be backscatter junkmail. You cannot really block it, because it is based on SMTP protocol standart behavior.

No, this isn't right. Backscatter only happens when you accept the mail first and then it bounces internally. Out of the box, Kerio doesn't accept mail that would ultimately result in backscatter. So the important question is, why did the server accept the mail in the first place? Solve that and the backscatter goes away (as does the 400,000 messages in queue).

-Elias
  •  
nhoague

Messages: 853
Karma: 18
Send a private message to this user
Steps to take, first "obvious" make sure you are NOT accepting relay. Second turn up tour SMTP delay, 15 seconds is default, make it 30. Valid email servers WILL wait to deliver a good email, SPAMbots won't.

Agree with Elias, your server should never send DSN unless it first accepted the message.

As for the brute force, get used to it. Nothing you can do except make sure you use good passwords. Also, I turn off the local IP, so no one on the outside can ever find internal IP of messages sent.

You should some of my logs ... scary. But we also use Kerio Control and that helps a TON getting rid of bogus network traffic.
  •  
buzz

Messages: 2
Karma: 0
Send a private message to this user
were do i find those settings in the admin console.
cant find them.

and about the 400k messeges. i just deleted them Laughing
  •  
matti763

Messages: 27
Karma: 0
Send a private message to this user
Sorry, I must explain more specific. Rolling Eyes This happen when you have more than one mailserver and you use domain forwarding. If mailbox does not exist, the first mailserver accept the mail and then forward message to second mailserver. And when the second mailserver cannot find mailbox, then this backscatter problem happens.

Not using myself, but distributed domain feature should solve this problem?
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Hi there.

Kerio Connect admin console -> Configuration -> SMTP Server

Cheers,
D.

  •  
Kedar

Messages: 1320
Karma: 48
Send a private message to this user
matti763 wrote on Wed, 12 January 2011 07:46

Not using myself, but distributed domain feature should solve this problem?


Distributed domain (DD) should solve your problem. All servers have list of valid user account from LDAP (Active Directory, Open Directory) and know on which server is mailbox placed. It's better then blind forwarding to another server.

If you can't use DD for some reason (no Active or Open Directory), there should be some "trash" account (catch-all account) on destination server. In simple forwarding, first server doesn't know if remote account exists, so e-mail is accepted, processed and forwarded. Second server refuses this message if recipient doesn't exist and it generated DSN.
You can to do alias accepting all messages on destination server: make alias with asterisk * (*@yourdomain) and assign it to catch-all account.
Previous Topic: About two different domains in Kerio Mail Server
Next Topic: SSL Wildcard certificate
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Oct 22 12:03:41 CEST 2017

Total time taken to generate the page: 0.00511 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.