How can I block this kind of exim spam attck?

[pepsi]

2022-10-07 18:32:31 H=(lnyd) [223.240.209.1] F=<[email protected]> rejected RCPT <[email protected]>: R1: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)

I got lot of this kind of spam everyday, how can I use csf to auto block them?
Thank you

My exim part setting:
SMTP_BLOCK = 1
SMTP_ALLOWLOCAL = 1
SMTP_REDIRECT = 0
SMTPAUTH_RESTRICT = 1

I just want my server and php send mail only

It would be grateful if you could check this csf rule:

 if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s\S+\s\S+\s\[(\S+)\].*HELO should be a FQDN/))  {     
  return ("CUSTOM_Batch Spam Attack",$1,"Exim","2","25,465,587","3600");
 }

Thank you so much

 

[pepsi]

sorry, I can't edit anymore, so I will update my log here:

SMTPAUTH_LOG = /var/log/exim/rejectlog

if (($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+\s\S+\s\S+\s\[(\S+)\].*HELO should be a FQDN/))  {     
    return ("CUSTOM_Batch Spam Attack",$1,"Exim","2","25,465,587","3600");
}

It would be grateful if you could check this csf rule
Thank you

 

[pepsi]

sorry, I can't edit anymore AGAIN, so I will update my log here:

I better to change back my smtpauth log and use custom1_log for rejctlog
(also if this may help someone later, so I use default setting)

SMTPAUTH_LOG = /var/log/exim/mainlog
CUSTOM1_LOG = /var/log/exim/rejectlog

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s\S+\s\S+\s\[(\S+)\].*HELO should be a FQDN/))  {     
    return ("CUSTOM_Batch Spam Attack",$1,"Exim","2","25,465,587","3600");
}

It would be grateful if you could check this csf rule
Thank you

 

[pepsi]

also thank you for Dettol to share his phpmyadmin attack rule:

Brute Force Monitor doesn't work

I seem a lot of this kind of log everyday, but Brute Force Monitor never ban them for trying to get in my phpmyadmin... any can help me any solution to stop they trying to get in my phpmyadmin? thank you 152.136.33.12 - - [28/Sep/2022:22:42:25 +0800] "GET /phpmyadmin4/index.php?lang=en...

forum.directadmin.com

when someone try to hack my phpmyadmin, I will get this log:

[Fri Oct 07 16:49:21.175272 2022] [:error] [pid 19771:tid 139824933398272] [client 129.45.123.27:57113] [client 129.45.123.27] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma|/sql|/mysql|/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/phpmyadmin/index.php"] [unique_id "Yz_oETe_TOecHbx-z5kMOwAAAL0"]

so I try to set this csf rule for ban someone:

if (($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^(\S+).*Pattern match.*(phpMyAdmin hacking).* (406)/)) {
    return ("Get lost please",$1,"HTACCESS406","2","80,443","604800");
}

It would be grateful if you could check this csf rule
Thank you

 

[Richard G]

I got lot of this kind of spam everyday, how can I use csf to auto block them?

CSF is not intended to block incoming spam.

You can for example block the ip or pot *@qq.com in the /etc/virtual/bad_sender_hosts file.
And maybe also to the blacklist_senders file in there.

Next to that I would suggest installing spamassassin, blockcracking and easyspamfighter (if not already present yet).

Also something which you -could- do, is block hosts which do not have a decent FQDN. Which might block some legitimate hosts, however, legit hosts should work according to RFC's so that would be their own fault.
To do this (if you use easy spamfighter) you can create a file called:
/etc/exim.easy_spam_fighter/variables.conf.custom
if I remember the correct one, and add this line:
EASY_DNS_BLACKLIST == 100

These are some measures to block spam, there are ofcourse more options.

 

[pepsi]

CSF is not intended to block incoming spam.

You can for example block the ip or pot *@qq.com in the /etc/virtual/bad_sender_hosts file.
And maybe also to the blacklist_senders file in there.

Next to that I would suggest installing spamassassin, blockcracking and easyspamfighter (if not already present yet).

Also something which you -could- do, is block hosts which do not have a decent FQDN. Which might block some legitimate hosts, however, legit hosts should work according to RFC's so that would be their own fault.
To do this (if you use easy spamfighter) you can create a file called:
/etc/exim.easy_spam_fighter/variables.conf.custom
if I remember the correct one, and add this line:
EASY_DNS_BLACKLIST == 100

These are some measures to block spam, there are ofcourse more options.

Thank you for your sugesstion.
I have that 3 plugin too.
but they try to send spam via a fake account at my server, does it work too?


But cloud you help me to check my second rule too? thanks

How can I block this kind of exim spam attck?

2022-10-07 18:32:31 H=(lnyd) [223.240.209.1] F= rejected RCPT : R1: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1) I got lot of this kind of spam everyday, how can I use csf to auto block them? Thank you My exim part setting: SMTP_BLOCK = 1 SMTP_ALLOWLOCAL = 1 SMTP_REDIRECT =...

forum.directadmin.com

 

[Richard G]

but they try to send spam via a fake account at my server, does it work too?

I don't think so. But if that would be the case, you should check and remove that account. Could also be they are just spoofing. I can also send a mail from any e-mail address which is not mine.

I just want my server and php send mail only

You should also be able to receive mail.

Anyway, to be able to send mail via SMTP and PHP I use this:
SMTP_BLOCK = "1"
SMTP_ALLOWLOCAL = "1"
SMTP_PORTS = "25,465,587"
SMTP_ALLOWUSER = ""
SMTP_ALLOWGROUP = "mail,mailman"
SMTPAUTH_RESTRICT = "0"

 

[BillyS]

But cloud you help me to check my second rule too? thanks

Not sure what you are trying to do , but no, that second rule will not work. No where in the test string is found a '406'

 

[pepsi]

I don't think so. But if that would be the case, you should check and remove that account. Could also be they are just spoofing. I can also send a mail from any e-mail address which is not mine.


You should also be able to receive mail.

Anyway, to be able to send mail via SMTP and PHP I use this:
SMTP_BLOCK = "1"
SMTP_ALLOWLOCAL = "1"
SMTP_PORTS = "25,465,587"
SMTP_ALLOWUSER = ""
SMTP_ALLOWGROUP = "mail,mailman"
SMTPAUTH_RESTRICT = "0"

That domain all email is hosting by google workspace, so that why I'm 100% sure no that account in my server.

Thank you for your suggestion, I'm change the settings that you suggestion, thanks

Not sure what you are trying to do , but no, that second rule will not work. No where in the test string is found a '406'

thank you, how can I block ip via this error?

[Fri Oct 07 16:49:21.175272 2022] [:error] [pid 19771:tid 139824933398272] [client 129.45.123.27:57113] [client 129.45.123.27] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma|/sql|/mysql|/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/phpmyadmin/index.php"] [unique_id "Yz_oETe_TOecHbx-z5kMOwAAAL0"]

Thanks

 

[pepsi]

Not sure what you are trying to do , but no, that second rule will not work. No where in the test string is found a '406'

if (($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^(\S+)(.*) Access denied with code 406 (.*)/)) {
    return ("Get lost please",$1,"HTACCESS406","2","80,443","604800");
}

right? thanks

 

[pepsi]

CSF is not intended to block incoming spam.

You can for example block the ip or pot *@qq.com in the /etc/virtual/bad_sender_hosts file.
And maybe also to the blacklist_senders file in there.

Next to that I would suggest installing spamassassin, blockcracking and easyspamfighter (if not already present yet).

Also something which you -could- do, is block hosts which do not have a decent FQDN. Which might block some legitimate hosts, however, legit hosts should work according to RFC's so that would be their own fault.
To do this (if you use easy spamfighter) you can create a file called:
/etc/exim.easy_spam_fighter/variables.conf.custom
if I remember the correct one, and add this line:
EASY_DNS_BLACKLIST == 100

These are some measures to block spam, there are ofcourse more options.

It back again, this time over 2000 < 1mins:

2022-10-10 01:14:17 H=(DESKTOP-8PJIG2P) [201.101.35.6] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted, authentication required

Any suggestion? thank you

 

[Dettol]

It back again, this time over 2000 < 1mins:

2022-10-10 01:14:17 H=(DESKTOP-8PJIG2P) [201.101.35.6] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted, authentication required

Any suggestion? thank you

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(.+) H=\(\S+\) \[(\S+)\] F=\<\S+\> rejected RCPT \<\S+\>: relay not permitted, authentication required/))  {
      return ("RCPT NOT ALLOWED FROM ",$2,"RCPT","1","1");
   }

 

[pepsi]

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(.+) H=\(\S+\) \[(\S+)\] F=\<\S+\> rejected RCPT \<\S+\>: relay not permitted, authentication required/))  {
      return ("RCPT NOT ALLOWED FROM ",$2,"RCPT","1","1");
   }

Thank you