Coping With Postfix Mail Server Attacks

From Free Knowledge Base- The DUCK Project: information for everyone
Revision as of 14:49, 8 April 2015 by Admin (Talk | contribs)

Jump to: navigation, search

See Also:


Too many "smtp -t unix -u" processes

1005 ?        S      0:00 smtp -t unix -u
1006 ?        S      0:00 smtp -t unix -u
1007 ?        S      0:00 smtp -t unix -u
1008 ?        S      0:00 smtp -t unix -u
1009 ?        S      0:00 smtp -t unix -u
1010 ?        S      0:00 smtp -t unix -u
1011 ?        S      0:00 smtp -t unix -u
1012 ?        S      0:00 smtp -t unix -u
1013 ?        S      0:00 smtp -t unix -u
1014 ?        S      0:00 smtp -t unix -u
1015 ?        S      0:00 smtp -t unix -u
1016 ?        S      0:00 smtp -t unix -u
1017 ?        S      0:00 smtp -t unix -u
1018 ?        S      0:00 smtp -t unix -u
1019 ?        S      0:00 smtp -t unix -u
1020 ?        S      0:00 smtp -t unix -u
1021 ?        S      0:00 smtp -t unix -u
1022 ?        S      0:00 bounce -z -n defer -t unix -u
1023 ?        S      0:00 smtp -t unix -u
1024 ?        S      0:00 smtp -t unix -u
1025 ?        S      0:00 smtp -t unix -u
1026 ?        S      0:00 smtp -t unix -u
1027 ?        S      0:00 smtp -t unix -u
1028 ?        S      0:00 smtp -t unix -u
1030 ?        S      0:00 smtp -t unix -u
1031 ?        S      0:00 smtp -t unix -u
1032 ?        S      0:00 smtp -t unix -u
1033 ?        S      0:00 smtp -t unix -u
1034 ?        S      0:00 smtp -t unix -u
1035 ?        S      0:00 smtp -t unix -u
1036 ?        S      0:00 smtp -t unix -u
1038 ?        S      0:00 dovecot/pop3-login

Someone is attacking your email server. The server is spawning too many smtp processes and is slow or nearly not responsive.

Lets verify. Check the mail queue. 

mailq

You can find a lot of useful commands like mailq in our Postfix Tips and Tricks page.

You might see lots of entries that look similar to this: 

4790F2C0DD7     2898 Mon Apr  6 13:08:07  MAILER-DAEMON
(connect to bny234.rayinsuranceclearly.ninja[94.228.216.234]:25: Connection timed out)
                                        Angela.Sloan@bny234.rayinsuranceclearly.ninja

They might say "Connection timed out" or "Connection refused" 

437AC2C07BB     9359 Tue Apr  7 18:05:33  MAILER-DAEMON
         (connect to 1fxxn8s.eiroeir.eu[8.39.223.104]:25: Connection refused)
                                        HawaiiVacationDeals@eiroeir.eu

You're going to see a lot of forged addresses. In this example, HawaiiVacationDeals@eiroeir.eu is clearly forged.

The IMMEDIATE plan:

(1.) REGAIN CONTROL If the mail server is nearly unresponsive, you can 'killall smtp' or purge the mail queue 

postsuper -d ALL

This is just to get control over your system back.

(2.) BLOCK THE OFFENDING NETWORK or NETWORKS

iptables

(3.) TAKE PREVENTATIVE MEASURES

You can prevent future attacks by using some commonsense mail server settings for postfix and implementing a tool like fail2ban

Retrieved from "https://wiki.robotz.com/index.php?title=Coping_With_Postfix_Mail_Server_Attacks&oldid=10492"