Translate this page :

Old & tired:: Open Relay. New Hotness:: Brute-force SMTP AUTH

Bloody spammers.

Got complaints from my customers that their websites are going up & down like a yoyo. Checked, and that’s true enough. Although at first it seems okay, but when you hit reload, you got the error message.
Thank God for squid, so even when the server is having problems, it’s not instantly obvious to the visitors. Only to the admins. (hint: admin pages are usually set with no-cache header)

The error messages are related to mysql. So I checked it, and indeed MySQL was overloaded to the max. mysqladmin -h localhost -u root -p status showed that it’s handling crazy amount of queries per second.

I was a bit baffled. Normally, that will cause MySQL to fell straight away. But at that time, it’s “just” going up & down. So I looked for more clues using top.

I quickly noticed that there are huge numbers of smtpd processes. What’s going on ?
So I checked the mysql query log.

Turned out that the spammers are trying to brute force their way to my smtp server 🙁
They’re trying various combinations of username & password. They doesn’t seem to be anywhere successful, but they sure caused MySQL to act funny.
smtpd authenticate to a table in MySQL. The table is small, so it must be cached already by MySQL.

But even cached, when the requests are coming very rapidly, it’d still hurt.

Checked /etc/postfix/master.cf, and surprised to see that by default, max number of smtpd that will be spawned by Postfix is 100.
In normal situation, this won’t be a problem because it’s lightweight. But when there are 100 smtpd processes servicing brute-force attacks of spammer bots, the server will be disturbed.

So I changed this line in /etc/postfix/master.cf :

smtp inet n – – – – smtpd

Into this :

smtp inet n – – – 10 smtpd

Now postfix won’t spawn more than 10 processes at maximum, slowing down the spammer considerably.

Personally, I think old punishment styles such as, oh let’s say “hanged, drawn, quartered” should be reestablished again just for them, spammers.

No, I’m not joking.

OK, ok… but I think that’s the only punishment that would be able to effectively stop people from spamming. So sue me 🙂

32 Responses to “Old & tired:: Open Relay. New Hotness:: Brute-force SMTP AUTH

  • 1
    Samsul
    March 14th, 2008 00:10

    The good thing is that the spammer didn’t make his way through your SMTP, rite? I hate them, I once experienced a spammer gotten into my account, filling mySql with junks. Took my time to clean it up.

  • 2
    sufehmi
    March 14th, 2008 01:03

    @samsul – I guess I should be thankful for that, indeed.
    .
    However, even when failing, they’re still a great nuisance.
    .
    I was talking with my friends at Indosat, evangelizing virtualization technologies to them. They were most interested, and I kept on giving the solutions to them – until they mentioned about their spam-filter server.
    .
    They said that the (very powerful) server is always at more than 80% cpu utilization.
    .
    I said, leave the server alone 🙂
    Don’t virtualize it.
    .
    Spammers causes loses to others. Much more than even I imagined.

  • 3
    arrohwany
    March 14th, 2008 03:24

    Its Cool… 🙂

  • 4
    Tom
    March 14th, 2008 05:27

    It is probably not a good idea to connect an SQL database to your mail server. And never do this at all, unless the SQL server is dedicated.

    If you can’t dedicate an SQL server for mail authentication, use LDAP. Use a script to push the data from SQL into LDAP. You will find that since LDAP is key-value based, it is at least an order of magnitude faster than any SQL database, including MySQL.

  • 5
    ryosaeba
    March 14th, 2008 06:37

    harry, the comment by “admin” is a spam. and for your problem, probably you should think about extra security measures, such as 3 or more repeated and failed relay attempt within a minute would result that particular IP address banned to connect for let’s say 1 hour.

  • 6
    Tom
    March 14th, 2008 07:09

    @ryoseba: If you want to keep track of which IPs have failed, and which are working, you need to store state some place. So you store state in the database, or wait, that is what is overloaded…

    Others hack in the ability to call out to iptables, and add a automatically expiring block on that IP. This works. You still need to keep the state, but the traffic goes a way after a while.

  • 7
    neuralgin
    March 14th, 2008 10:04

    i think that postgrey http://postgrey.schweikert.ch could help you

  • 8
    Chas
    March 14th, 2008 11:44

    There is a nice little delay for comment spam. There should be one for password function as well. One attempt every 3 seconds should be enough.

  • 9
    sufehmi
    March 14th, 2008 14:49

    @ryosaeba – thanks for the idea.
    .
    I looked around, and found fail2ban. I like it very much because (1) it uses existing info (logfiles) instead of adding more burden to the system (2) utilizes iptables / proven (3) works for any services [not just postfix]
    .
    Will give it a try.
    .
    @Tom – thanks, but I really need the SQL backend, because it makes management & maintenance much more easier to do.
    .
    With fail2ban, I may be able to restore Postfix’s max smtpd processes number to 100 again soon.
    .
    @neuralgin – thank you too, but postgrey is limited to postfix, and can be easily bypassed (just retry again). So I think I’ll try fail2ban first.

  • 10
    ady wicaksono
    March 14th, 2008 20:50

    Decrase aja size thread stack mysql so you will have a lot of mysql connection 🙂

  • 11
    blogging make money
    February 16th, 2009 11:09

    Damn spammers. I really hate those freaking jerks. I had a similar occurrence happen to me also. I don’t know why those guys even bother trying they should know that we will figure out what they are trying sooner or later.

  • 12
    350-030
    May 4th, 2009 13:21

    I would say about the other hack in the ability to call out to iptables, and add a automatically expiring block on that IP. This works. You still need to keep the state, but the traffic goes a way after a while.

  • 13
    ThongJsn
    October 12th, 2009 18:23

    I appreciate this very article.

  • 14
    reez
    October 13th, 2009 10:26

    thanks for the info….. ^__^

  • 15
    Richard Gluedson
    November 19th, 2009 04:25

    Thank you for sharing the information provided, and adds color to our world.
    saç ekimi
    saç ekimi
    gebelik takibi

  • 16
    ghgf
    November 20th, 2009 14:54

    MKV Converter

  • 17
    Virtual Call Center Jobs
    November 28th, 2009 11:30

    Thank you for sharing this information. You always have something interesting.

  • 18
    Peter p
    December 14th, 2009 14:29

    robably you should think about extra security measures, such as 3 or more repeated and failed relay attempt within a minute would result that particular IP address banned to connect for let’s say 1 hour.

  • 19
    links london charms
    December 17th, 2009 15:42

    The good thing is that the spammer didn’t make his way through your SMTP, rite? I hate them, I once experienced a spammer gotten into my account, filling mySql with junks. Took my time to clean it up.

  • 20
    kontoranabayi
    December 24th, 2009 17:36

    Thank you very much for this information. I like This site! Thanks!

  • 21
    health
    February 2nd, 2010 07:52

    Great article. There’s a lot of good information here, though I did want to let you know something – I am running Mac OS X with the circulating beta of Firefox, and the look and feel of your blog is kind of bizarre for me. I can understand the articles, but the navigation doesn’t work so good.

  • 22
    poptropica
    June 20th, 2010 20:41

    Thanks banget mas, sangat bermanfaat blognya.

  • 23
    sport news
    August 14th, 2010 10:35

    saya ga ngerti ini apa ya?

  • 24
    Kedai Obat
    August 16th, 2010 01:20

    eanknya dapet beklink Health | Apothect Net | Pharma Info

  • 25
    hairstyles
    August 19th, 2010 00:49

    saya tambah ga ngerti hiks

  • 26
    machen
    September 10th, 2010 09:00

    PDF Creator can creat PDF document files from Microsoft Office 2003/2007/2010 (Word, Excel, PowerPoint), image (JPEG, GIF, TIFF, PNG, BMP), Text, RTF, CHM, DjVu and more printable files.
    PDF Creator
    JPEG to PDF
    GIF to PDF
    PNG to PDF

  • 27
    iPad
    October 25th, 2010 19:13

    I know that computer is a necessary for most of people. People can’t work without computer. With the development of tech. More high speed computer was develped and people can improve the work easily. Happy every body.

  • 28
    Kata kata manis
    November 29th, 2010 11:16

    Jaya selalu open source indo …..!

  • 29
    evinden iş fırsatları
    May 15th, 2011 16:04

    Thank you very much for this information. I like This site! Thanks!

  • 30
    male toys
    May 24th, 2011 21:13

    Thank i must say was ver interesting. Thanks once again for sharing this views you have i hope to see more great posts like this.

    girls sex toys

  • 31
    cars-editions
    June 26th, 2011 00:09

    All these points, need some minutes to read them because they are important,

  • 32
    lab bahasa
    November 28th, 2011 12:37

    lab bahasa murah

Leave a Reply

 

Subscribe without commenting

            








SEObox: Web Hosting Murah Unlimited Komik Indonesia Homeschooling Indonesia