How can I block this kind of exim spam attck?

pepsi

Verified User
Joined
Oct 7, 2022
Messages
16
2022-10-07 18:32:31 H=(lnyd) [223.240.209.1] F=<[email protected]> rejected RCPT <[email protected]>: R1: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)

I got lot of this kind of spam everyday, how can I use csf to auto block them?
Thank you

My exim part setting:
SMTP_BLOCK = 1
SMTP_ALLOWLOCAL = 1
SMTP_REDIRECT = 0
SMTPAUTH_RESTRICT = 1

I just want my server and php send mail only

It would be grateful if you could check this csf rule:
Code:
 if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s\S+\s\S+\s\[(\S+)\].*HELO should be a FQDN/))  {     
  return ("CUSTOM_Batch Spam Attack",$1,"Exim","2","25,465,587","3600");
 }


Thank you so much
 
Last edited:
sorry, I can't edit anymore, so I will update my log here:

SMTPAUTH_LOG = /var/log/exim/rejectlog

Code:
if (($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+\s\S+\s\S+\s\[(\S+)\].*HELO should be a FQDN/))  {     
    return ("CUSTOM_Batch Spam Attack",$1,"Exim","2","25,465,587","3600");
}

It would be grateful if you could check this csf rule
Thank you
 
Last edited:
sorry, I can't edit anymore AGAIN, so I will update my log here:

I better to change back my smtpauth log and use custom1_log for rejctlog
(also if this may help someone later, so I use default setting)

SMTPAUTH_LOG
= /var/log/exim/mainlog
CUSTOM1_LOG = /var/log/exim/rejectlog

Code:
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s\S+\s\S+\s\[(\S+)\].*HELO should be a FQDN/))  {     
    return ("CUSTOM_Batch Spam Attack",$1,"Exim","2","25,465,587","3600");
}

It would be grateful if you could check this csf rule
Thank you
 
also thank you for Dettol to share his phpmyadmin attack rule:

when someone try to hack my phpmyadmin, I will get this log:
Code:
[Fri Oct 07 16:49:21.175272 2022] [:error] [pid 19771:tid 139824933398272] [client 129.45.123.27:57113] [client 129.45.123.27] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma|/sql|/mysql|/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/phpmyadmin/index.php"] [unique_id "Yz_oETe_TOecHbx-z5kMOwAAAL0"]

so I try to set this csf rule for ban someone:
Code:
if (($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^(\S+).*Pattern match.*(phpMyAdmin hacking).* (406)/)) {
    return ("Get lost please",$1,"HTACCESS406","2","80,443","604800");
}

It would be grateful if you could check this csf rule
Thank you
 
I got lot of this kind of spam everyday, how can I use csf to auto block them?
CSF is not intended to block incoming spam.

You can for example block the ip or pot *@qq.com in the /etc/virtual/bad_sender_hosts file.
And maybe also to the blacklist_senders file in there.

Next to that I would suggest installing spamassassin, blockcracking and easyspamfighter (if not already present yet).

Also something which you -could- do, is block hosts which do not have a decent FQDN. Which might block some legitimate hosts, however, legit hosts should work according to RFC's so that would be their own fault.
To do this (if you use easy spamfighter) you can create a file called:
/etc/exim.easy_spam_fighter/variables.conf.custom
if I remember the correct one, and add this line:
EASY_DNS_BLACKLIST == 100

These are some measures to block spam, there are ofcourse more options.
 
CSF is not intended to block incoming spam.

You can for example block the ip or pot *@qq.com in the /etc/virtual/bad_sender_hosts file.
And maybe also to the blacklist_senders file in there.

Next to that I would suggest installing spamassassin, blockcracking and easyspamfighter (if not already present yet).

Also something which you -could- do, is block hosts which do not have a decent FQDN. Which might block some legitimate hosts, however, legit hosts should work according to RFC's so that would be their own fault.
To do this (if you use easy spamfighter) you can create a file called:
/etc/exim.easy_spam_fighter/variables.conf.custom
if I remember the correct one, and add this line:
EASY_DNS_BLACKLIST == 100

These are some measures to block spam, there are ofcourse more options.
Thank you for your sugesstion.
I have that 3 plugin too.
but they try to send spam via a fake account at my server, does it work too?


But cloud you help me to check my second rule too? thanks
 
Last edited:
but they try to send spam via a fake account at my server, does it work too?
I don't think so. But if that would be the case, you should check and remove that account. Could also be they are just spoofing. I can also send a mail from any e-mail address which is not mine.

I just want my server and php send mail only
You should also be able to receive mail.

Anyway, to be able to send mail via SMTP and PHP I use this:
SMTP_BLOCK = "1"
SMTP_ALLOWLOCAL = "1"
SMTP_PORTS = "25,465,587"
SMTP_ALLOWUSER = ""
SMTP_ALLOWGROUP = "mail,mailman"
SMTPAUTH_RESTRICT = "0"
 
I don't think so. But if that would be the case, you should check and remove that account. Could also be they are just spoofing. I can also send a mail from any e-mail address which is not mine.


You should also be able to receive mail.

Anyway, to be able to send mail via SMTP and PHP I use this:
SMTP_BLOCK = "1"
SMTP_ALLOWLOCAL = "1"
SMTP_PORTS = "25,465,587"
SMTP_ALLOWUSER = ""
SMTP_ALLOWGROUP = "mail,mailman"
SMTPAUTH_RESTRICT = "0"
That domain all email is hosting by google workspace, so that why I'm 100% sure no that account in my server.

Thank you for your suggestion, I'm change the settings that you suggestion, thanks

Not sure what you are trying to do , but no, that second rule will not work. No where in the test string is found a '406'

thank you, how can I block ip via this error?

Code:
[Fri Oct 07 16:49:21.175272 2022] [:error] [pid 19771:tid 139824933398272] [client 129.45.123.27:57113] [client 129.45.123.27] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma|/sql|/mysql|/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/phpmyadmin/index.php"] [unique_id "Yz_oETe_TOecHbx-z5kMOwAAAL0"]

Thanks
 
Not sure what you are trying to do , but no, that second rule will not work. No where in the test string is found a '406'

Code:
if (($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^(\S+)(.*) Access denied with code 406 (.*)/)) {
    return ("Get lost please",$1,"HTACCESS406","2","80,443","604800");
}
right? thanks
 
CSF is not intended to block incoming spam.

You can for example block the ip or pot *@qq.com in the /etc/virtual/bad_sender_hosts file.
And maybe also to the blacklist_senders file in there.

Next to that I would suggest installing spamassassin, blockcracking and easyspamfighter (if not already present yet).

Also something which you -could- do, is block hosts which do not have a decent FQDN. Which might block some legitimate hosts, however, legit hosts should work according to RFC's so that would be their own fault.
To do this (if you use easy spamfighter) you can create a file called:
/etc/exim.easy_spam_fighter/variables.conf.custom
if I remember the correct one, and add this line:
EASY_DNS_BLACKLIST == 100

These are some measures to block spam, there are ofcourse more options.
It back again, this time over 2000 < 1mins:

Code:
2022-10-10 01:14:17 H=(DESKTOP-8PJIG2P) [201.101.35.6] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted, authentication required

Any suggestion? thank you
 
It back again, this time over 2000 < 1mins:

Code:
2022-10-10 01:14:17 H=(DESKTOP-8PJIG2P) [201.101.35.6] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted, authentication required

Any suggestion? thank you

Code:
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(.+) H=\(\S+\) \[(\S+)\] F=\<\S+\> rejected RCPT \<\S+\>: relay not permitted, authentication required/))  {
      return ("RCPT NOT ALLOWED FROM ",$2,"RCPT","1","1");
   }
 
Code:
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(.+) H=\(\S+\) \[(\S+)\] F=\<\S+\> rejected RCPT \<\S+\>: relay not permitted, authentication required/))  {
      return ("RCPT NOT ALLOWED FROM ",$2,"RCPT","1","1");
   }
Thank you:love:
 
Back
Top