I am undergoing heavy SMTP attack, if i accept all connections in RELAY setting of SMTP
If i grant access only to Server IP, then attack stops, but all emails send, start bouncing back to me, as relay failed.
I Enabled SMTP Tweak inside WHM and it prevent the relays
But I am still seeing a huge attack inside my exim_mainlog through one of the domain hosting in the server.
I Delete the domain DNS zone, Change the domain name server, it still doesn't stop the attack. How do I go with this? Need help for those experienced in this...
H=mail1.data393.net [208.42.234.80] F=<> rejected RCPT <305stevengan@techobceat.com>: mail1.data393.net [208.42.234.80] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
if [ `grep $ip /root/iplist | awk '{print $1}'` -gt $LIMIT ] then echo "5 connection from $ip... `grep $ip /root/iplist | awk '{print $1}'` number of connections... Blocking $ip";
#Blocking the ip ...
/etc/rc.d/init.d/iptables save > /dev/null; CHECK_IF_LOCALIP=0; /sbin/ifconfig | grep $ip > /dev/null; if [ $? -ne $CHECK_IF_LOCALIP ] then { FLAG=0; grep $ip /etc/sysconfig/iptables | grep DROP > /dev/null; if [ $? -ne $FLAG ] then iptables -I INPUT -s $ip -j DROP; else echo " Ipaddress $ip is already blocked "; fi } else echo " Sorry, the ip $ip cannot be blocked since this is a local ip of the server "; fi fi done It's block any connectin that has more than 5 connections.
My problem now that when I left my pc and when I come back my server can't response.
I used this to let it work every minute :
Code: SHELL=/bin/sh 0-59/1 * * * * root /root/ddos/blockip5.sh > and put it here /etc/cron.d/anti-ddos.cron
Is there any advice about it ? to let work all the time not every minute. like every 5 second.
I found that when I left my pc and come back to run this script I can't login to the server I have to reboot it then log again.
This message come from support :
In the past 12 Hours we have seen a maximum of #35 mbps and an average of 12 mbps of malicious traffic being sent to your server
I am using APF and also I use DDoS-Deflate version 0.6 and evasive mod.
Any more advice ? they keep attacking me for more than 1 Month 24 hours
My server was hit with flood recently, to the point where I was unable to log in via SSH. Running 'netstat' command showed I was getting flooded with thousands of http requests from China/Saudi Arabia/Korea. I installed APF firewall and added those countries to deny list.
Next day I was hit from Russia and Romania and some others. By reading some posts on this site, on top of APF, I have also installed Dos Deflate. It was working for couple of hours, but then it stopped working. I could not even log in via SSH. My provider told me that APF was using all of the "conntrack" connections. I have increased conntrack connections to 130,000 (I have 4 Gigs of RAM on my server). Is that possible? (I have about 300 IP ranges in my APF deny list).
Next day, I was got hit by different attack: there was 11 Mbps of malicious traffic on average sent to my server. My provider put me behind firewall to mitigate against that kind of attack.
Currently, I am both behind the hardware firewall and I have APF and Dos Deflate running. However my server is not accessible.
When I request, I can log in for couple of minutes, but then I get kicked out.
Today my system which is hosting the site bepenfriends got compramised(win 2k3) and now LT tech guys are working on it to reload the system with a data save. I was not having a hardware firewall which caused this problem. But i had windows firewall, windows malinious software removal tool (defender i haven't installed). I have updated all patches of win2k3 whch was released till today.
Now after restore it will be great work to bring my website back with all those rewritten urls and the softwares and its licenses.
Now please help me out in below stuff.
How to stop further attack and further compramisation of server.
I'm searching for a smtp service that lets me send email from several different emails (domains), lets me connect to non standard port numbers, and which is not banned/do not accept spam.
I'd like to describe an issue and see if this sounds familiar to anyone, or if there is a solution that I have not thought of yet.
CAUSE: My ISP (yeah, it's comcast) began blocking port 25 inbound so my personal mail server was no longer receiving mail.
RESOLUTION: I worked through a new DNS re-router to change the port that would now receive mail: from port 25 to port 587. It took me a while to get the routes pointed correctly, but I finally got the messages to route, get through my firewall, and hit the mail server.
NEW PROBLEM: After some IP and DNS routing issues, I finally got things to work, the email that gets sent finally arrives at my mail server. However, the mail server (Alt-N MDaemon) now requires AUTH from the incoming DNS re-direct.
BIG QUESTION: How do I configure MDaemon mail server (or any other mail server, for that matter) to accept the mail from the new re-route server? Mail now re-directed to the new port ALWAYS comes from that route (mx-routes01.editdns.net). Where in the configuration settings of MDaemon do I set it up? I've tried including the host name and the IP address into every WhiteList list I can find, added it to the trusted host name list and everything. I'm at a loss, since it's impossilbe to configure the re-route server to provide AUTH credentials to my mail server. MDaemon now replys to every mail reuqest with : 530
Authentication required (in reply to MAIL FROM command)
Anyone know of a good place to do SMTP relaying through?
We have legitimate clean email that we need to send for my site that gets filtered as junk mail for the major free email services (Hotmail, Yahoo mail, AOL mail, etc.). Unfortunatley it is legitimate email that needs to get through to the end user to register their account.
Right now we use the free 250 smtp relays per day that come with our free GoDaddy hosting account but we are quickly approaching the need to send more than 250 a day and GoDaddy charges a healthy amount for more than 250 a day.
Anyone know of a good economical SMTP relay service?
The hacker just execute the perl file , and then he called the "test.txt" file through internet explorer , and its done , he can read the file easily !
We tried to :
1- run php as CGI module. 2- run SUPHP module. 3- run php as apache module. 4- enable open_basedir and safe_mode.
But the hacker still can bypass the system!
the only solution is to disable /usr/bin/perl , chmoded it to 700 . but thats caused a broken cpanel!
as it requires it to be at 755 for proper operation, since it is used by customers as well when it suexec into the user when they log into cPanel. and so we cannot change it to that setting (700), since it breaks the entire system.
So is there any way to stop the "symlink" perl function?
GoDaddy says: "You have reached your current SMTP relay limit of 1000 per day on the following hosting account" But they assigned a limit of 1,000 -- and i don't use SMTP relay at all. I have set up my active email accounts to use Google SMTP. When I tell GoDaddy about this, they tell me it is my responsibility. So what do i do?
I have a dedicated windows 2003 server that acts as an smtp relay (legit purposes, not open).
There are large amounts of mail relayed through the server and I would like to install some 3rd party software that can scan the messages/attachments for viruses.
Ideally, if one exists it strips it from the message and notifies the recipient and/or sender of the problem.
I've been trying to set up Postfix to send email for the past few days. I've managed to get it to ask for a username and password, in order to try and send mail to an external domain
I can receive email fine on the server, but I can't send email out
I have Plesk 12 on CentOS 7. I have only MSMTP installed not Postfix or Qmail. No matter what settings I use in the external SMTP settings the mail is never sent and I cannot find any error logs.
I have tried gmail smtp, sendgrid smtp and another smtp server that I own.
This is not a firewall issue as far as I can tell since if I install postfix it just works. Also any Wordpress or Joomla installs that use SMTP settings with gmail or sendgrid work just fine.
Screenshot for information only. I used accurate usernames, passwords, etc.
↑
Quick update. I tried the recommended CentOS 7 with the same result. Can installing Plesk 12 without a mail server and using the msmtp relay option actually works?Click to expand...
I send a few emails today and got a phonecall that people did not get my email. So I went into WHM and viewed "Top Email Relayers" There I saw my emails.
I am using WHM 11.11.0 cPanel 11.15.0
So what are Email Relayers?
How can I get my mails out of there so they can be send?
I have found a bunch of articles to setup Sendmail as a mail relay, but none have been successful for me or the articles are very outdated. Anyone have a 'stupid-proof' set of current instructions on how setup Sendmail Pop before SMTP? This is a CentOS 4.5 Box with Sendmail 8.14.2/8.13.1 and Dovecot. Any successful guidance would be appreciated!
Occasionally when sending an email to an international address, I receive a rejected notice:
550 5.7.1 Relaying denied. IP name forged (PTR and A records mismatch) for (serverIP)
Nothing was changed anytime recently so I'm not sure why this would happen. How would I trace this type of error? Its a legitimate outgoing mail from my server to the intl recipient.
SPF has been set since day one and unchanged.
The mail server IP has rdns set to it and has been for a long time.
i have to get rid of an open relay state on my server, and i cant do it! i have antirelayd on my WHM but it seems its not working, any idea? please or at least wich line in /scripts/antirelayd i have to check to see if its everything ok.
i saw an older post, tried everything but nothing works x_X