Re: [exim] protecting privileged users from SMTP-AUTH attack…

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MM+\Jeremy Harris at <-
MMMMGraeme Fowler at ->
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: Re: [exim] protecting privileged users from SMTP-AUTH attacks
Am 02.12.19 um 11:48 schrieb Jeremy Harris via Exim-users:
> On 02/12/2019 10:23, Cyborg via Exim-users wrote:
>> That an ip is trying to abuse the auth mechanics and producing a lot of 
>> "protocol synchronization error" messages,
>> as normal clients won't do.
> You say "an IP" but you also said "botnet". If the botnet is
> only using IP's once, you won't do anything useful by tracking
> IPs. Analyse your logs to see whether or not such
> an approach would be useful.

It was only a small example, the logfiles are full of it.

And by blocking, I mean "blocking in the entire cluster" ;)

> Perhaps you could start from the other end: track your customer's
> (well, at least sources that pass authentication) IPs -
> and impose a delay on others. Ways to do that:
> - check the "authenticated" status in any ACL from mail onward,
> if yes then note the IP in your favourite DB. A ratelimit DB would do
> fine.
> - check the IP in the DB in an AUTH ACL and delay if not found.
>
> [IANAL, but beware GPDR concerns with such a DB. It should be
> protected in the same way as logs]

So, the answere is "no, there is no way to intercept here." Is ok, take
it as a FeatureRequest ;)
Afais, they make mistakes and assume pipelining is active, so checking
it in other acls and events may not work as suggested.

Example:

2019-12-02 13:44:27 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[179.43.110.211] next input="00000\r\n"
2019-12-02 13:44:27 no host name found for IP address 179.43.110.211
2019-12-02 13:44:29 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "admin"
H=[179.43.110.211] next input="1234qwer\r\n"
2019-12-02 13:44:33 no host name found for IP address 179.43.110.211
2019-12-02 13:44:34 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[179.43.110.211] next input="pass\r\n"
2019-12-02 13:44:39 no host name found for IP address 179.43.110.211
2019-12-02 13:44:43 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[179.43.110.211] next input="7ujMko0admin\r\n"

I will add it to our IDS system, which also monitors exim and can block
such bot nets effectivly.
A build-in system would have been nice, because than we can send nice
messages to the abuser, in case it's a badly broken client.

best regards,
Marius

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] remote access vulnerability in version 4.92-8+deb10u3Re: [exim] protecting privileged users from SMTP-AUTH attacks->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)