50 SMTP attacks by day from a botnet

[debug]

Hello,

I have a server being attacked in the form of a botnet. I am getting 50 emails a day (since the last two days) like this:

Time: Tue Feb 4 17:07:09 2014 -0500
IP: 213.186.183.252 (JO/Jordan/-)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked: Permanent Block

Log entries:

2014-02-04 17:06:15 dovecot_login authenticator failed for ([192.168.2.33])
[213.186.183.252]:59438: 535 Incorrect authentication data (set_id=jobs)
2014-02-04 17:06:21 dovecot_login authenticator failed for ([192.168.2.33])
[213.186.183.252]:59438: 535 Incorrect authentication data (set_id=jobs)
2014-02-04 17:06:31 dovecot_login authenticator failed for ([192.168.2.33])
[213.186.183.252]:59438: 535 Incorrect authentication data (set_id=jobs)
2014-02-04 17:06:48 dovecot_login authenticator failed for ([192.168.2.33])
[213.186.183.252]:59438: 535 Incorrect authentication data (set_id=jobs)
2014-02-04 17:07:05 dovecot_login authenticator failed for ([192.168.2.33])
[213.186.183.252]:59438: 535 Incorrect authentication data (set_id=jobs)

I'm alone on my server and I don't have/want customers. All emails programs are disabled (horde, squirrelmail, etc) and I don't use email accounts (I did not create email accounts).
I am using CSF, CXS, ConfigServer Mail Manager, ConfigServer Mail Queues, Mod_Security.

What is the best solution to stop these SMTP attacks ? Block/Disable port 25 ? Will it prevent me from receiving other alert emails from CSF ?

The SMTP Setting in CSF are:
SMTP_BLOCK = 0
SMTP_ALLOWLOCAL = 1
SMTP_PORTS = 25,465,587
SMTP_ALLOWUSER = Cpanel
SMTP_ALLOWGROUP = mail,mailman

Regards

[Sergio]

Hi debug,
this type of activity is very common, and you can't block or disable port 25 just because of this.

I have created a rule in CSF to block all the IPs, that the set_id is set to different words like "jobs" in this case.

If you want to see how many word has been trying to access your server, go to WATCH SYTEM LOGS, select /var/log/exim_rejectlog and do a search using "detach" for the following phrase:
535 Incorrect authentication data
and you will see hundred of IPs using a lot of different words not just "jobs".

[debug]

you can't block or disable port 25 just because of this.

Hi Sergio,

I am tired to receive 50 emails a day at my external & personal email address just because of this. I am alone on this server with 0 email account.

What are the disadvantages to disable port 25? Will it prevent me from receiving other alert emails (port scan, alerts related to mod_security, etc) from CSF/LFD ?

[Sergio]

port 25 is needed for you to send emails, if you use your server to send/receive emails you can't block this port.

If you don't use your server for any email activity then you can disable it, just go to your CSF configuration a delete port 25 and see if that helps you.

Another approach is to create a filter in your webmail to delete any email that comes with the phrase "535 Incorrect Authentication data" in the body, that is easy to create and you will never be bothered with any of that emails.

[soupn]

hello Sergio,

did you stoped the attacks? I am in the same situation... 100 emails a day...

[Sergio]

Hi soupn,
yes, we have created a system that does the following:
1. Check CSF for any of our rules are triggered.
2. If the IP trigger any of our rules the IP is blocked in CSF deny.
3. A cron is executed every few minutes and checks the IPs that has been blocked.
4. If the IP is from countries that we define, we move the IP to another IPTABLE and the IP is deleted from CSF.deny.
5. If the IP is from countries that we really don't like we search the CIDR were the IP comes from and we block the complete range of the IP.

The system is kind of complex and we manage 4 different IPTABLES on where we put the blocked IPs.

That has helped us a lot, as we don't have to block complete countries that generates very large IPTABLE rules.

[PPNSteve]

one constant I've seen with these is the 192.168.2.33 local IP. Is there something that can be done using it as the trigger/rule??

[Sergio]

No, as any one bad or good guy can be connected to that IP in his/her local area network you will never know when someone will connect from an IP like that.

[PPNSteve]

that's too bad.. these attacks are pretty annoying.