Old & tired:: Open Relay. New Hotness:: Brute-force SMTP AUTH

Bloody spammers.

Got complaints from my customers that their websites are going up & down like a yoyo. Checked, and that’s true enough. Although at first it seems okay, but when you hit reload, you got the error message.
Thank God for squid, so even when the server is having problems, it’s not instantly obvious to the visitors. Only to the admins. (hint: admin pages are usually set with no-cache header)

The error messages are related to mysql. So I checked it, and indeed MySQL was overloaded to the max. mysqladmin -h localhost -u root -p status showed that it’s handling crazy amount of queries per second.

I was a bit baffled. Normally, that will cause MySQL to fell straight away. But at that time, it’s “just” going up & down. So I looked for more clues using top.

I quickly noticed that there are huge numbers of smtpd processes. What’s going on ?
So I checked the mysql query log.

Turned out that the spammers are trying to brute force their way to my smtp server 🙁
They’re trying various combinations of username & password. They doesn’t seem to be anywhere successful, but they sure caused MySQL to act funny.
smtpd authenticate to a table in MySQL. The table is small, so it must be cached already by MySQL.

But even cached, when the requests are coming very rapidly, it’d still hurt.

Checked /etc/postfix/master.cf, and surprised to see that by default, max number of smtpd that will be spawned by Postfix is 100.
In normal situation, this won’t be a problem because it’s lightweight. But when there are 100 smtpd processes servicing brute-force attacks of spammer bots, the server will be disturbed.

So I changed this line in /etc/postfix/master.cf :

smtp inet n – – – – smtpd

Into this :

smtp inet n – – – 10 smtpd

Now postfix won’t spawn more than 10 processes at maximum, slowing down the spammer considerably.

Personally, I think old punishment styles such as, oh let’s say “hanged, drawn, quartered” should be reestablished again just for them, spammers.

No, I’m not joking.

OK, ok… but I think that’s the only punishment that would be able to effectively stop people from spamming. So sue me 🙂

33 thoughts on “Old & tired:: Open Relay. New Hotness:: Brute-force SMTP AUTH

  1. The good thing is that the spammer didn’t make his way through your SMTP, rite? I hate them, I once experienced a spammer gotten into my account, filling mySql with junks. Took my time to clean it up.

  2. @samsul – I guess I should be thankful for that, indeed.
    .
    However, even when failing, they’re still a great nuisance.
    .
    I was talking with my friends at Indosat, evangelizing virtualization technologies to them. They were most interested, and I kept on giving the solutions to them – until they mentioned about their spam-filter server.
    .
    They said that the (very powerful) server is always at more than 80% cpu utilization.
    .
    I said, leave the server alone 🙂
    Don’t virtualize it.
    .
    Spammers causes loses to others. Much more than even I imagined.

  3. It is probably not a good idea to connect an SQL database to your mail server. And never do this at all, unless the SQL server is dedicated.

    If you can’t dedicate an SQL server for mail authentication, use LDAP. Use a script to push the data from SQL into LDAP. You will find that since LDAP is key-value based, it is at least an order of magnitude faster than any SQL database, including MySQL.

  4. harry, the comment by “admin” is a spam. and for your problem, probably you should think about extra security measures, such as 3 or more repeated and failed relay attempt within a minute would result that particular IP address banned to connect for let’s say 1 hour.

  5. @ryoseba: If you want to keep track of which IPs have failed, and which are working, you need to store state some place. So you store state in the database, or wait, that is what is overloaded…

    Others hack in the ability to call out to iptables, and add a automatically expiring block on that IP. This works. You still need to keep the state, but the traffic goes a way after a while.

  6. There is a nice little delay for comment spam. There should be one for password function as well. One attempt every 3 seconds should be enough.

  7. @ryosaeba – thanks for the idea.
    .
    I looked around, and found fail2ban. I like it very much because (1) it uses existing info (logfiles) instead of adding more burden to the system (2) utilizes iptables / proven (3) works for any services [not just postfix]
    .
    Will give it a try.
    .
    @Tom – thanks, but I really need the SQL backend, because it makes management & maintenance much more easier to do.
    .
    With fail2ban, I may be able to restore Postfix’s max smtpd processes number to 100 again soon.
    .
    @neuralgin – thank you too, but postgrey is limited to postfix, and can be easily bypassed (just retry again). So I think I’ll try fail2ban first.

  8. Damn spammers. I really hate those freaking jerks. I had a similar occurrence happen to me also. I don’t know why those guys even bother trying they should know that we will figure out what they are trying sooner or later.

  9. I would say about the other hack in the ability to call out to iptables, and add a automatically expiring block on that IP. This works. You still need to keep the state, but the traffic goes a way after a while.

  10. robably you should think about extra security measures, such as 3 or more repeated and failed relay attempt within a minute would result that particular IP address banned to connect for let’s say 1 hour.

  11. The good thing is that the spammer didn’t make his way through your SMTP, rite? I hate them, I once experienced a spammer gotten into my account, filling mySql with junks. Took my time to clean it up.

  12. Great article. There’s a lot of good information here, though I did want to let you know something – I am running Mac OS X with the circulating beta of Firefox, and the look and feel of your blog is kind of bizarre for me. I can understand the articles, but the navigation doesn’t work so good.

  13. I know that computer is a necessary for most of people. People can’t work without computer. With the development of tech. More high speed computer was develped and people can improve the work easily. Happy every body.

Leave a Reply

Your email address will not be published.