I recently had over 53,000 login attempts in a little over 3 hours from
a single IP address on my sendmail mail server. There were some names
that must have been obtained from email lists, but 99% were almost
every name you could possibly think of. I am guessing they were
probably looking for a way to gain access to relay spam, but regardless
of the reason, I would like to figure out a way to limit or stop such
attempts. As near as I can tell there is no way of configuring
sendmail to limit logins to the LAN (whitelist), but I would rank my
sendmail skills closer to novice than guru. As a result I thought I
would risk ridicule and ask here to be sure before looking at solutions
such as fail2ban.

On 7/21/22 8:59 PM, NotReal wrote:
> I recently had over 53,000 login attempts in a little over 3 hours
> from a single IP address on my sendmail mail server. There were
> some names that must have been obtained from email lists, but 99%
> were almost every name you could possibly think of.

Sounds like a credential stuffing attack. My understanding is that they
are quite common and often perpetrated by compromised systems.

> I am guessing they were probably looking for a way to gain access
> to relay spam,

Likely.

> but regardless of the reason, I would like to figure out a way to
> limit or stop such attempts.

Fair.

> As near as I can tell there is no way of configuring sendmail to
> limit logins to the LAN (whitelist), but I would rank my sendmail
> skills closer to novice than guru.

I can't think of a solution / feature / etc. that Sendmail provides to
limit auth requests to specific locations.

I would wonder if a firewall or re-configuration of what IP(s) and / or
ports that Sendmail binds to might be a viable option. E.g. only allow
SMTP Authentication on the Message Submission Agent port (587) and only
allow trusted clients to connect to it via firewall.

> As a result I thought I would risk ridicule and ask here to be sure
> before looking at solutions such as fail2ban.

I'm firmly of the opinion that legitimate questions deserve an equally
legitimate answer.

--
Grant. . . .
unix || die

On 7/22/22 04:59, NotReal wrote:
> As a result I thought I would risk ridicule

Not ridicule at all.

> and ask here to be sure

AFAIK there's not such thing built into sendmail, but I'd be happy to be
proven wrong.

> before looking at solutions such as fail2ban.

Just my 2c...

I'm using fail2ban and I'm fairly happy about it.
Obviously it will block legitimate users who insist with the wrong
password (especially some phones who don't offer any indication that
authentication has failed and keep on trying :-[ ). This will be a
problem if you mandate periodical password changes.

I heard some praise crowdsec as a better fail2ban, but I haven't tried it.

Am Freitag, 22. Juli 2022, um 02:59:59 Uhr schrieb NotReal:

> I recently had over 53,000 login attempts in a little over 3 hours
> from a single IP address on my sendmail mail server.

You can set up a firewall (unrelated to sendmail) and just drop all
traffic from this IP.

Additionally, there is the access db with the Connect: statement. Maybe
try out this.

On 7/22/22 04:59, NotReal wrote:

> I recently had over 53,000 login attempts in a little over 3 hours
> from a single IP address on my sendmail mail server.

I had a similar problem in a server from the university. and at my
home. I used the old protection system, the tcp wrappers, opening
access only to lan users. At home I opened access only to the server IP
to receive maintenance activity notifications.

Ciao
Giovanni
--
A computer is like an air conditioner,
it stops working when you open Windows.
< http://giovanni.homelinux.net/ >

NotReal wrote:

> As near as I can tell there is no way of configuring
> sendmail to limit logins to the LAN (whitelist), but I would rank my

doc/op/op.*
5.1.4.17. srv_features

The srv_features ruleset is called with the
connecting client's host name when a client con-
nects to sendmail. This ruleset should return
$# followed by a list of options (single charac-
ters delimited by white space).
....
A Do not offer AUTH

cf/README:

About 2): the rulesets try_tls, srv_features, and clt_features can
be used together with the access map. Entries for the access map
must be tagged with Try_TLS, Srv_Features, Clt_Features and refer
to the hostname or IP address of the connecting system (the latter
is not available for clt_features). A default case can be specified
by using just the tag.

Srv_Features:my.domain v
Srv_Features: V

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

NotReal <NotReal@nospam.com> wrote:

Hi stranger.

> [...]
> [...], but regardless
> of the reason, I would like to figure out a way to limit or stop such
> attempts. As near as I can tell there is no way of configuring
> sendmail to limit logins to the LAN (whitelist), [...]

There is no such thing as "login" with SMTP connections but only
authenticated usage of SMTP so there is also no rate limiting specific
to "logins"!

Look for the "ratecontrol" and "conncontrol" features for the
sendmail m4 config generation system and you'll find what sendmail
offers to you to handle a situation like the one you described.

Be aware that "ratecontrol" specifies how often connections can be
established to a sendmail instance and "conncontrol" specifies how many
*concurrent* connections are allowed.
The difference is, that one might allow a rate of just one connection
per minute but an attacker can harm the instance by just keeping
connections open as long as possible. And the later is controlled by
specifying values for exactly this case.

> [...]

Best regards,
Henning
--
In theory there is no difference between theory and practise.
In practise there is.
Yogi Beer

NotReal wrote:

> I recently had over 53,000 login attempts in a little over 3 hours
> from a single IP address on my sendmail mail server. There were some
> names that must have been obtained from email lists, but 99% were
> almost every name you could possibly think of. I am guessing they
> were probably looking for a way to gain access to relay spam, but
> regardless of the reason, I would like to figure out a way to limit
> or stop such attempts. As near as I can tell there is no way of
> configuring sendmail to limit logins to the LAN (whitelist), but I
> would rank my sendmail skills closer to novice than guru. As a
> result I thought I would risk ridicule and ask here to be sure before
> looking at solutions such as fail2ban.

Thanks to all who replied and I have read your comments and
suggestions.

I did block that particular IP address at the firewall but I suspect it
is a case of closing the barn door after the horse has gone. The next
time any similar attack occurs, it will probably come from a new IP
address.

I like the suggestion to limit authentication only on port 587 as I
suspect most users are currently using port 587 when authenticating to
receive mail. It will definitely take some reading on my part though
as there are some unknowns about how that would work when sending mail,
but it seems like a worthwhile approach.

I have never heard of crowdsec but I will look into that as well. I
currently use fail2ban on a decoy SSH server feeding blocklist.de so I
am familiar with how to set that up, but perhaps crowdsec has some
features that are not available in fail2ban and tcpwrappers that were
also suggested.

As for Henning and Mr. Sendmail, Claus, their suggestions will take
some more study of sendmail to fully understand and appreciate, but I
will endeavour to do that if only for the learning experience.

Thanks again to all.

Marco Moock wrote on 7/22/22 10:30 AM:
> Am Freitag, 22. Juli 2022, um 02:59:59 Uhr schrieb NotReal:
>
>> I recently had over 53,000 login attempts in a little over 3 hours
>> from a single IP address on my sendmail mail server.
>
> You can set up a firewall (unrelated to sendmail) and just drop all
> traffic from this IP.

just temporarily set a route
ip route add blackhole <offending-ip>

-rasp

Ralph Spitzner <rasp@spitzner.org> wrote:
> Marco Moock wrote on 7/22/22 10:30 AM:
>> Am Freitag, 22. Juli 2022, um 02:59:59 Uhr schrieb NotReal:
>>
>>> I recently had over 53,000 login attempts in a little over 3 hours
>>> from a single IP address on my sendmail mail server.
>> You can set up a firewall (unrelated to sendmail) and just drop all
>> traffic from this IP.
>
> just temporarily set a route
> ip route add blackhole <offending-ip>

The IP address may be inside a DUL range.

--
[Andrew] Andrzej A. Filip

Andrzej Adam Filip wrote on 7/24/22 10:11 PM:

> The IP address may be inside a DUL range.
>

if by DUL you mean something like a NAT/DMZ there will still be some public ip, otherwise they couldn't get there....

Andrzej Adam Filip wrote on 7/24/22 10:11 PM:

>
> The IP address may be inside a DUL range.
>
oh, sorry I see you apparently mean a 'Dialup user range', but anyway if so a "firewall" wouldn't help either and if he/she's
trying to authenticate for a relay there will be a forward/reverse mismatch on that host, so it just produces some 'dust' in the logfile...

Am Montag, 25. Juli 2022, um 11:46:57 Uhr schrieb Ralph Spitzner:

> oh, sorry I see you apparently mean a 'Dialup user range', but anyway
> if so a "firewall" wouldn't help either and if he/she's trying to
> authenticate for a relay there will be a forward/reverse mismatch on
> that host, so it just produces some 'dust' in the logfile...

If so, tell the ISP the address is assigned to. They will most likely
tell that the customer. If the customer isn't willing to stop attacking
other computers they might switch off his connection.

On 22/07/2022 04.59, NotReal wrote:
> I recently had over 53,000 login attempts in a little over 3 hours from
> a single IP address on my sendmail mail server.
> I would like to figure out a way to limit or stop such
> attempts

In my experience, still feeling as a novice after using sendmail for 24
years, I have never seen anything that would limit authentication
attempts, the best tool I have seen is fail2ban, I do use it myself
against failed authentications, I tend to have issue with the same
username (seems to be a random generated one) is used to try to
authenticate, but only one attempt per day from an IP. Most of the
authentications seems to try to utilize a somewhat "recent" bug in
sendmail which has been patched.

I would not spend time to wait, just go with fail2ban and could be good
to have it monitor your ssh too, I do run mine on a port normally not
used, but still I get my share of Chinese and Russians trying to gain
access.

--

//Aho