HOW? Drop A connection that is recipient guessing

0ByteSolutions · Post by **0ByteSolutions** » Thu Mar 05, 2020 5:14 pm

Help!?!?

I am using Zimbra Collaboration Open Source 8.8.10 & I need to find a way to immediately drop a connection from a BotNet that keeps trying to exploit my server for SPAM. I get these admin reports daily:

message reject detail
---------------------
RCPT
Recipient address rejected: domainname.net (total: 60)
3 avoid@domainname.net
3 complaint@domainname.net
3 consequence@domainname.net
3 drag@domainname.net
3 explain@domainname.net
3 extensive@domainname.net
3 half@domainname.net
3 hungry@domainname.net
3 initially@domainname.net
3 insist@domainname.net
3 logical@domainname.net
3 nephew@domainname.net
3 outdoors@domainname.net
3 programme@domainname.net
3 replace@domainname.net
3 salary@domainname.net
3 station@domainname.net
3 them@domainname.net
3 varied@domainname.net
3 wallet@domainname.net

I'm currently using Fail2Ban - and it works - AFTER the connection is aborted by the offending server. I need to find a way to IMMEDIATELY sever the connection (DROP the ESTABLISHED connection) after, say the 3rd, bad account guess. The IP address gets banned using fail2ban and ufw (or iptables) but continues to guess usernames until it gives up. Is there a Zimbra command that I can enable the KILLS the connection if they guess 3 bad recipient addresses??

zimico · Post by **zimico** » Fri Mar 06, 2020 3:07 am

Hi,
You can have a look at DosFilter: https://wiki.zimbra.com/wiki/DoSFilter

Best regards,
Minh.

0ByteSolutions · Post by **0ByteSolutions** » Fri Mar 06, 2020 2:58 pm

zimico, almost but not quite... They're not trying to guess accounts to log into, they are trying to randomly deliver SPAM.

Here's an except fom my logs to show what I'm trying to combat:

Mar 3 07:19:58 zsrv postfix/smtpd[3949]: connect from unknown[185.143.223.170]
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<explain@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<explain@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 550 5.1.1 <explain@domainname.net>: Recipient address rejected: domainname.net; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<explain@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<them@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<them@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 550 5.1.1 <them@domainname.net>: Recipient address rejected: domainname.net; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<them@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<logical@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<logical@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 550 5.1.1 <logical@domainname.net>: Recipient address rejected: domainname.net; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<logical@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<replace@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<replace@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 550 5.1.1 <replace@domainname.net>: Recipient address rejected: domainname.net; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<replace@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<consequence@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<consequence@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 550 5.1.1 <consequence@domainname.net>: Recipient address rejected: domainname.net; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<consequence@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<initially@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<initially@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 550 5.1.1 <initially@domainname.net>: Recipient address rejected: domainname.net; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<initially@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<salary@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<salary@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 550 5.1.1 <salary@domainname.net>: Recipient address rejected: domainname.net; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<salary@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<hungry@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<hungry@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 550 5.1.1 <hungry@domainname.net>: Recipient address rejected: domainname.net; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<hungry@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<varied@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<varied@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 550 5.1.1 <varied@domainname.net>: Recipient address rejected: domainname.net; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<varied@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<complaint@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<complaint@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 550 5.1.1 <complaint@domainname.net>: Recipient address rejected: domainname.net; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<complaint@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<half@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<half@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:19:59 zsrv postfix/smtpd[3949]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 550 5.1.1 <half@domainname.net>: Recipient address rejected: domainname.net; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<half@domainname.net> proto=ESMTP helo=<[185.143.223.170]>
Mar 3 07:20:00 zsrv postfix/smtpd[3949]: NOQUEUE: filter: RCPT from unknown[185.143.223.170]: <4clehjkwkzbrvr45@jmb-production.fr>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<4clehjkwkzbrvr45@jmb-production.fr> to=<outdoors@domainname.net> proto=ESMTP helo=<[185.143.223.170]>

You can see the forged from address trying to guess a valid recipient. I'd like to abort the connection after the 3rd or 4th "guess" and PERMANENTLY BAN the IP address.

Using Fail2Ban on the log files, I can successfully BAN the IP, but the connection stays live until the SPAM bot gives up allowing them to continue to guess random accounts.

DualBoot · Post by **DualBoot** » Fri Mar 06, 2020 4:06 pm

Hello

Emergency command :
iptables -I INPUT -s 185.143.223.170 -j DROP

Then as a previous user has written : use Fail2Ban
associated with iptables-persistent package.

Regards,

Zimbra Forums

HOW? Drop A connection that is recipient guessing

HOW? Drop A connection that is recipient guessing

Re: HOW? Drop A connection that is recipient guessing

Re: HOW? Drop A connection that is recipient guessing

Re: HOW? Drop A connection that is recipient guessing