How to catch spam sent out from your servers when correct credentials has been given to send the spam? This happens when customers "lose" their e-mail password. Their password could have been cracked, sniffed or their client has been infected by malware. There are many reasons why this could happen. We never blame the customer when this happens, we want to provide a service that is tolerant for mistakes and ignorance (we want their money). Historically these kind of occasions have caused our most serious spam incidents which caused our IP's to be blocked. To get an IP off all blocklists is hell, better is to change IP, let the MTA use another IP for sending mail. But, how to avoid this? We use the firewall csf, https://configserver.com/cp/csf.html. It is a massive powerfull firewall with many functions. Amongst one of these it has a function that tracks the IP of clients that send mail with proper credentials. A typical pattern of a hi-jacked e-mail account is that mail is sent from all over the world, within very short time spans. Hence this is what csf can catch and we disable the email account when this happens. Usually we change the password so incoming mail still arrives. We have used this for many years on cpanel and DA servers that use exim. ISPConfig do use postfix and it is actually supposed to work with postfix as well (https://forum.configserver.com/viewtopic.php?f=5&t=9273&p=29768&hilit=LF_DISTSMTP+postfix#p29768). I have set this up on our ISPConfig servers, but has no real case yet that it works. I have tested the perl regex from the code with the logs produced by postfix on the ispconfig server, and it should work. I will describe here the setup I put in place for one ispconfig mailserver. This is how csf describes this function: First, csf needs to be installed. Instructions are here, https://configserver.com/cp/csf.html. Make first sure you have a working and robust config for csf before continueing with LF_DISTATTACK. There is a rigourious documentation in the config file /etc/csf/csf.conf. Take your time to read and understand it. I usually install the following before I install csf (Debian 10): Code: apt-get install liburi-encode-perl apt-get install libwww-perl liblwp-protocol-https-perl unzip apt-get install ipset There is a file "csftest.pl" in the tar package you can run to check if your server has what it needs. I also prefer to use ipset because it drain less resources than iptables. The choice to use ipset is set in the csf config. The first step is to configure csf properly and the second step is to create a executable script that is called when there is a distributed attack accordning to your trigger criterias. You decide in this script what should happen. On cpanel/da we change the pw for the email account, on ispconfig just now we send a ticket to our servicedesk. This will be automated later with the ispconfig api. Speed is of huge importance in these cases. Goto "SECTIONistributed Attacks" in /etc/csf/csf.conf. This is our settings: Code: ############################################################################### # SECTION:Distributed Attacks ############################################################################### # Distributed Account Attack. This option will keep track of login failures # from distributed IP addresses to a specific application account. If the # number of failures matches the trigger value above, ALL of the IP addresses # involved in the attack will be blocked according to the temp/perm rules above # # Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, # LF_HTACCESS # # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read # this file about RESTRICT_SYSLOG before enabling this option: LF_DISTATTACK = "1" # Set the following to the minimum number of unique IP addresses that trigger # LF_DISTATTACK LF_DISTATTACK_UNIQ = "2" # Distributed FTP Logins. This option will keep track of successful FTP logins. # If the number of successful logins to an individual account is at least # LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, # then all of the IP addresses will be blocked # # This option can help mitigate the common FTP account compromise attacks that # use a distributed network of zombies to deface websites # # A sensible setting for this might be 5, depending on how many different # IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL # # To disable set to "0" # # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read # this file about RESTRICT_SYSLOG before enabling this option: LF_DISTFTP = "0" # Set the following to the minimum number of unique IP addresses that trigger # LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work LF_DISTFTP_UNIQ = "3" # If this option is set to 1 the blocks will be permanent # If this option is > 1, the blocks will be temporary for the specified number # of seconds LF_DISTFTP_PERM = "1" # Send an email alert if LF_DISTFTP is triggered LF_DISTFTP_ALERT = "1" # Distributed SMTP Logins. This option will keep track of successful SMTP # logins. If the number of successful logins to an individual account is at # least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP # addresses, then all of the IP addresses will be blocked. These options only # apply to the exim MTA # # This option can help mitigate the common SMTP account compromise attacks that # use a distributed network of zombies to send spam # # A sensible setting for this might be 5, depending on how many different # IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL # # To disable set to "0" LF_DISTSMTP = "5" # Set the following to the minimum number of unique IP addresses that trigger # LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work LF_DISTSMTP_UNIQ = "3" # If this option is set to 1 the blocks will be permanent # If this option is > 1, the blocks will be temporary for the specified number # of seconds LF_DISTSMTP_PERM = "1" # Send an email alert if LF_DISTSMTP is triggered LF_DISTSMTP_ALERT = "1" # This is the interval during which a distributed FTP or SMTP attack is # measured LF_DIST_INTERVAL = "300" # If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the # path to a script, it will run the script and pass the following as arguments: # # LF_DISTFTP/LF_DISTSMTP # account name # log file text # # The action script must have the execute bit and interpreter (shebang) set LF_DIST_ACTION = "/usr/local/etc/csf/LF_DISTSMTP.sh" The script to be called is defined by LF_DIST_ACTION. This script has to have the executable bit set, recommend 750. The dir I set to 750 as well. This is the script I have implemented for ispconfig servers. Its a bit messy, its core is from our exim servers. Code: #!/bin/sh # Read from stdin # function distsmtp_sendmail { to=$1 subject=$2 cc=$3 bcc=$4 test -n "$cc" && cca="-a \"cc: $cc \"" test -n "$bcc" && bcca="-a \"bcc: $bcc \"" mail -s "$subject" -a "from: Company Foo <[email protected]>" $bcca $cca $to } # # Suspend a particular email address. # # Note the cpanel user can unsuspend via cpanel inteface # function suspend_outgoing_email_chpw { email=$1 #username=$1 #user=$2 #domain=$3 # ToDo: Implement disble email account in real-time for ISPC # # tmp solution: Send a ticket to servicedesk # echo "E-mail address $email is spamming on server $(hostname). Disable the account asap." | distsmtp_sendmail "[email protected]" "Important: E-mail accunt $email is spamming" "[email protected]" return } logfile=/usr/local/etc/csf/LF_DISTSMTP.log RIGHT_NOW=$(date +"%F %R") # Distributed SMTP Logins. This option will keep track of successful SMTP # logins. If the number of successful logins to an individual account is at # least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP # addresses, then all of the IP addresses will be blocked. These options only # apply to the exim MTA # # This option can help mitigate the common SMTP account compromise attacks that # use a distributed network of zombies to send spam # # A sensible setting for this might be 5, depending on how many different # IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL # När detta har hänt har IP adress blockats, alltså ett missbruk har upptäckts. # Suspend e-postadress direkt type=$1 email=$2 logline=$3 ( echo "==========================================================================================" echo $RIGHT_NOW; echo; while [ "$1" != "" ]; do echo $1 shift done ) >> $logfile if test -z "$type" -o -z "$email" -o -z "$logline" then exit fi echo Disable email address $email >> $logfile suspend_outgoing_email_chpw $email >> $logfile 2>&1 ####################################################################################################### # # Inform customer # ####################################################################################################### # # Inform customer and log message # ( echo The email account $email sends large amounts of spam through the server `hostname`. Spam has been sent using the correct password for $email. echo The e-mail account has therefore been suspended by changing its password. Emails sent to the account will arrive, but it will not be possible to send emails. echo etc, etc, .... kind regards dada. echo echo ) | distsmtp_sendmail "$email" "Important: E-Mail account $email is spamming" "[email protected]" Dont forget to set the executable bit on the script and restart csf with "csf -ra". Disclaimer. This works for a fact on cpanel/da exim servers. Since we dont have any customers yet in our ispconfig environment I have no verification it works. It defenitly should, time will tell.
