DDoS + postfix flush service failure

Discussion in 'General' started by dynamind, Jan 7, 2014.

  1. dynamind

    dynamind Member

    Hello,

    my server is under fire by hackers since several hours, it's a denial of service attack at postfix. Now I found a nice guide for adding arno-iptables-firewall with fwsnort & psad.
    Still the problem is that the mysql server quits while receiving 100 non-existing emails per second with a "flush service failure". All the incoming smtp attempts belong to one domain of my clients, it's not my domain.

    What can I do to prevent the mysql server to break down? Do i need to harden postfix or mysql?

    edit 23:51

    postqueue holds about more than 9000 spammails for one maildomain to unknown recipients, I'm receiving about 60 mails per minute.

    It shouldn't be possible that someone sends mails on this server without authentication.

    best regards & a happy new year
     
    Last edited: Jan 8, 2014
  2. tahunasky

    tahunasky Member

    I am not exactly sure what your problem is... but i have been having problems too with spammers trying to use my server as a relay - i actually think it could be infected PC's, as the IP addresses are changing all the time, but same email addresses are being use, below is a couple of examples from my mail log.

    Jan 10 07:48:51 tui postfix/smtpd[12701]: warning: static-71-122-185-194.tampfl.fios.verizon.net[71.122.185.194]: SASL LOGIN authentication failed: Connection lost to authentication server

    Jan 10 07:48:52 tui postfix/smtpd[12703]: NOQUEUE: reject: RCPT from unknown[64.27.3.251]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<WIN-ZNDU8MJ496E>

    All i have done is write a filter for fail2ban to block the sites.
    If this is what your problem is, and you are not sure how to do the fail2ban filter let me know and i can help you out.
     
  3. dynamind

    dynamind Member

    I found out anyhow my fail2ban config has been overwritten, so it did not block a single attempt. And a group of attackers noticed it.
    I worked through the whole howto guide for ispconfig on debian and modified the smtp and fail2ban settings, ran php -q update.php of ispconfig and now it's save again.

    thanks
     
  4. dynamind

    dynamind Member

    still unsolved

    someone is still filling my postqueue with senseless spam:

    mail.log

    that's my postfix main.cf:

    help would be really appreciated! thanks in advance
     
    Last edited: Jan 14, 2014
  5. lusso64

    lusso64 New Member

    I hope you find an answer as I am having exactly the same problem.

    Dave
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    There are 2 common reasons for your problems:

    1) one of your websites got hacked, and the spammers fill your mailqueue trough this site with a php script.
    2) A mail account ha sbeen hacked and the spams are delivered with smtp authentication.

    Take a look at one of the mails in your mailqueue with postcat to see which of the 2 options applies.

    http://www.howtoforge.com/forums/showthread.php?t=64301&highlight=postcat
     
  7. lusso64

    lusso64 New Member

    Thanks Till - excellent information and the problem has been identified. Just need to work out the best solution....
     
  8. dynamind

    dynamind Member

    Hi Till,

    guess that's it!

    It were 2 accounts of a client who had a trojan-infected laptop 2 weeks ago.
    Passwords changed, restarted sasl + postfix and now it looks like problem's gone.
    Thanks a lot.

    best regards
     
  9. dynamind

    dynamind Member

    update

    The story didn't end up here, so I'll send you an update what I found out, cause it took about a week to fix everything sustainable:

    A client was infected with Win32/Kryptik.BSLR, which was able to extract and distribute all 5! legit email accounts to send this data into an evil zombie-botnet.
    And only the developer knows what else has been sent, maybe all contacts and other credentials too.
    All happend cause he opened a document link from a spam mail, it looks like that:

    [​IMG]

    It was just 1 week he had no Internet Security!

    This botnet makes use of the Blat windows mailer software and it appears to be used for malware distribution and for sending spam mail containing a link to
    a document making it lookalike from "Volksbank, Telekom, Vodafone" and so on. The Trojan is also used as Blat mailerdeamon spreading the spam from regular email accounts
    abusing the credentials on the infected machines.

    That's what the mailheader looks like:

    Code:
    X-MSMail-Priority: High
    X-Priority: 1
    Priority: urgent
    Importance: high
    X-MimeOLE: Produced by Blat v3.1.1
    X-Mailer: Blat v3.1.1, a Win32 SMTP/NNTP mailer http://www.blat.net
    Message-ID:
    Subject: Ihre Rechnung vom 16.01.2014 im Anhang als PDF, Nr126745317877.
    Content-Type: text/html;
    charset=”ISO-8859-1″
    Content-Transfer-Encoding: quoted-printable
    Envelope-To:
    X-GMX-Antispam: 0 (Mail was not recognized as spam); Detail=V3;
    X-GMX-Antivirus: 0 (no virus found)
    No one knows why, but as we see here this email is not flagged as spam, even due to the link pointing at such a document:

    https://www.virustotal.com/de/url/c...7e845cc757b231da25677256f06ca4a69b7/analysis/

    spamassassin doesn't recognize it at the moment
    the report of the infected 'document' can be found here:

    https://www.virustotal.com/de/file/...8649c22620caae47f8ee7a88/analysis/1389977349/

    the only option I found now is to harden postfix with header checks, I applied a guide found here, which I modified to block even Blat X-Mailer completely.

    Hope it helps some of you too.

    update:

    nice, it works perfectly

    best regards
     
    Last edited: Jan 20, 2014

Share This Page