I'm very interested in what you are doing.
My thinking along country blocking for the submission of email addresses
is...
Subscribers have their data in a database. They have a properly secured
web access system to that database for account management purposes
(change their password - etc). I could also add a list of countries that
they expect to send (Submission) emails from or where they might use
POP3/IMAP from, something like a string "ZA,UK,MZ" (for South Africa, UK
and Mozambique) which they can also edit from a "multiple selection"
from all the worlds countries. I could also have a "home" country per
user. Knowing the IP address they are coming from and mapping that to a
country - that can be used to block password hackers from other
countries. The same defence can also sit on this management website -
once I know where all my clients are...
Add it to my webmail web site too.
I can always change customer "valid countries list" as well - when they
forget to do so in advance of a change of countries.
So Customers that country hop need to keep their choice of multiple
countries up to date, whilst the majority rarely have to change anything.
Thoughts?
On 6/25/22 8:56 PM, Slavko (tblt) via Exim-users wrote:
> Dňa 25. júna 2022 15:11:34 UTC používateľ Sebastian Nielsen via Exim-users<exim-users@???> napísal:
>
>> They seem to use wordlists to hack the password.
> Next week will be one year, from distributed attack to my email system starts,
> and it is still ongoing. The year is enough time to do with (against) it, but of
> course i cannot stop it. I can only guess, that it is from multiple relative independed
> botnets, as i have no power investigate in depth.
>
> They all seems to use harvested email addresses as i see a lot of login attempts
> to email aliases, but most significant part are logins with XMPP accounts (JID
> -- Jabber ID), which looks as email address, but in my case never had email
> accounts (they was JIDs used for remote teaching at COVID's lockdowns), thus
> i do not need to afraid about attack success. Only very small part of this attack
> used real mail accounts.
>
> Initially i even watch on passwords, but the attempts looks as dictionary
> variations of one (per login) password. But these accounts was removed from
> server in that time, thus i cannot tell, if they get real passwords with these JIDs,
> but it is possible... I then stop to watch them.
>
> I use 465 (and 993/995) with implicit TLS only (for users) more than two years,
> small part of attack was filtered by setting TLS1.2+ as requirement, without DHE+RSA
> and plain RSA, but that doesn't help mutch.
>
> Relative quickly i understand, tha fail2ban will not helps with it, as any host tried
> AUTH only once, and returns only occassionaly. If they returns, it was after relative
> long time, in days or even weeks (i store its IPs for some months).
>
> Then i start to collect its ASNs & IP networks, to see if i can block that. But without luck,
> they comes from different providers and while some ASNs repeats, it was not significant
> number.
>
> Then i start collect its countries and finally i found pattern -- the US, BR, AR, IN are
> biggest part of it. There are other countries involved too, including my own, but thay are
> occasional. I was initially against country blocking, but no other pattern in attacking IPs.
> I afraid to country block mostly because my users are from in countries and often
> travel, but by per user BL/WL it is acceptable (at least for me).
>
> Then i go into real blocking. As i use dovecot's SASL for SMTP login, i decided to use
> blocking on the dovecot side, to have them blocked not only for SMTP, but for IMAP
> and POP3 too. I found that dovecot supports policy daemon, thus i start to play with
> weakforce (from PowerDNS or so), it looks very good and provides nice functions
> for per user, per IP or per country counting of failed/success logins and automatically
> block eg. account from too many IPs (leaked passwords).
>
> After i learn to setup and use it i found, that i was not able to build one of its dependencies
> (and thus to build it self) on oldstable Debian, on which my email system runs at that time...
> Then i start to develop own policy daemon. Is not as poweful as weakforced, i wrote
> it in python (and flask) and uses redis as storage, but works great for my small email
> system for more months. For now it provides:
>
> + global country (GeoIP2) BL with per user WL (no UI)
> + global IP and users BL/WL
> + configurable DNS RBL fír blocking
> + success login IP counting with auto users BL (as leaked passwords action)
>
> I initialy used relative long list of RBLs (they are queried async, thus no problem),
> but after some months i reduced it, as some provided false positives (as i
> mentioned in other post already).
>
> It itself doesn't blocks IP (only delays/rejects logins), but i use strict fail2ban's jail,
> which adds every block from its log to ipset, where IPs are blocked for about 24
> days (max ipset's timeot) and its timeout is reset by any attemt in that time by
> iptables. Today that ipset has about 2200 IPs, the maximum was about 4500
> at once.
>
> To be honest, most of attempts i block by country (from the same redis BL)
> directly in exim at connect time yet (as i initially afraid about my policy daemon
> performance and resource usage), but it survived multiple bursts from not
> blocked countries already, thus after i finish (ongoing) services migration to new
> HW i will rely only on dovecot's policy daemon, as on exim's side is per user
> WL missing.
>
> To get country in exim i initally used shell script to query Maxmind DB, but now
> i use GeoIP dlfunc which i found on github and exim queries redis's BL. I found
> no one (as mentioned) DNS RBL providing country info for IPv6, thus they are
> not useful for me (while current attack is IPv4 only).
>
> Beside this, i start to distribute fail2ban block between my MX and MSA,
> as they are serated, by using small python daemon subscribed to redis's
> PubSub. It is not very usefull in this attack, as only some IPs are accesing
> both, the 465 and 25 ports yet, but it is nice to have ;-)
>
> After initial (when this attack starts) wondering, i now only look at daily logwatch
> reports, that all works as expected and i only count how many IPs was blocked.
> Because i do not know, if my leaked password protection works, as i didn't meet
> it yet, i watch login counts, if they are in usual...
>
> Finally, after i finish mentioned migration, i have plan to build honeypot for
> SMTP/IMAP/POP connections over plain ports with STARTTLS, as i do not
> offer them to clients, which will use the same user/passwords as real service
> but will reject all (including success) logins, and will report (block) the success
> one, but it is only idea yet...
>
> I am writing this on my tablet now, thus i have no links here, but if anyone
> is interested, i can provide them latter, when i will be on PC...
>
> regards
>
--
Mark James ELKINS - Posix Systems - (South) Africa
mje@??? Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA:
https://ftth.posix.co.za
<
https://ftth.posix.co.za>
