Directory Harvest

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Directory Harvest

Roman Gelfand-2
It looks like somebody is trying to figure out my internal users as
evidenced by log excerpts below.  Is there something I could do to, if
not prevent this, reduce it?

Thanks in advance

Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: reject: RCPT from
unknown[93.85.224.123]: 550 5.1.1 <atil...@abc.com>: Recipient address
rejected: User unknown in virtual mailbox table;
from=<atoll...@roulottes-moulin-de-cheni.com> to=<atil...@abc.com>
proto=SMTP helo=<WIVANTR>
Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: filter: RCPT from
unknown[93.85.224.123]: <unknown[93.85.224.123]>: Client host triggers
FILTER dspam:dspam; from=<atoll...@roulottes-moulin-de-cheni.com>
to=<b...@abc.com> proto=SMTP helo=<WIVANTR>
Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: reject: RCPT from
unknown[93.85.224.123]: 550 5.1.1 <b...@abc.com>: Recipient address
rejected: User unknown in virtual mailbox table;
from=<atoll...@roulottes-moulin-de-cheni.com> to=<b...@abc.com>
proto=SMTP helo=<WIVANTR>
Jul 29 15:00:15 mail postfix/smtpd[2451]: NOQUEUE: filter: RCPT from
unknown[93.85.224.123]: <unknown[93.85.224.123]>: Client host triggers
FILTER dspam:dspam; from=<finise...@rfstech.com>
to=<conning...@abc.com> proto=SMTP helo=<JYMQMAWNRE>
Jul 29 15:00:15 mail postfix/smtpd[2451]: NOQUEUE: reject: RCPT from
unknown[93.85.224.123]: 550 5.1.1 <conning...@abc.com>: Recipient
address rejected: User unknown in virtual mailbox table;
from=<finise...@rfstech.com> to=<conning...@abc.com> proto=SMTP
helo=<JYMQMAWNRE>
Jul 29 15:00:15 mail postfix/smtpd[2448]: NOQUEUE: filter: RCPT from
unknown[93.85.224.123]: <unknown[93.85.224.123]>: Client host triggers
FILTER dspam:dspam; from=<pepyspzw...@raflatac.com> to=<cl...@abc.com>
proto=SMTP helo=<WIVANTR>
Jul 29 15:00:15 mail postfix/smtpd[2448]: NOQUEUE: reject: RCPT from
unknown[93.85.224.123]: 550 5.1.1 <cl...@abc.com>: Recipient address
rejected: User unknown in virtual mailbox table;
from=<pepyspzw...@raflatac.com> to=<cl...@abc.com> proto=SMTP
helo=<WIVANTR>

Reply | Threaded
Open this post in threaded view
|

Re: Directory Harvest

Seth Mattinen
Roman Gelfand wrote:
> It looks like somebody is trying to figure out my internal users as
> evidenced by log excerpts below.  Is there something I could do to, if
> not prevent this, reduce it?
>


You could use fail2ban to look for too many "RCPT from unknown" entries
and block the IP address.

~Seth
Reply | Threaded
Open this post in threaded view
|

Re: Directory Harvest

Roman Gelfand-2
Should I block 1 address or subnet?

On Wed, Jul 29, 2009 at 7:05 PM, Seth Mattinen <[hidden email]> wrote:
Roman Gelfand wrote:
> It looks like somebody is trying to figure out my internal users as
> evidenced by log excerpts below.  Is there something I could do to, if
> not prevent this, reduce it?
>


You could use fail2ban to look for too many "RCPT from unknown" entries
and block the IP address.

~Seth

Reply | Threaded
Open this post in threaded view
|

Re: Directory Harvest

Seth Mattinen
Roman Gelfand wrote:
> Should I block 1 address or subnet?
>

I'd start with just the IP, personally.

~Seth
Reply | Threaded
Open this post in threaded view
|

Re: Directory Harvest

Noel Jones-2
In reply to this post by Roman Gelfand-2
Roman Gelfand wrote:

> It looks like somebody is trying to figure out my internal users as
> evidenced by log excerpts below.  Is there something I could do to, if
> not prevent this, reduce it?
>
> Thanks in advance
>
> Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: reject: RCPT from
> unknown[93.85.224.123]: 550 5.1.1 <atil...
> <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com
> <http://abc.com>>: Recipient address
> rejected: User unknown in virtual mailbox table;
> from=<atoll...
> <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@roulottes-moulin-de-cheni.com
> <http://roulottes-moulin-de-cheni.com>> to=<atil...
> <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com
> <http://abc.com>>
> proto=SMTP helo=<WIVANTR>
> Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: filter: RCPT from
> unknown[93.85.224.123]: <unknown[93.85.224.123]>: Client host triggers
> FILTER dspam:dspam; from=<atoll...
> <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@roulottes-moulin-de-cheni.com
> <http://roulottes-moulin-de-cheni.com>>
> to=<b...
> <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com
> <http://abc.com>> proto=SMTP helo=<WIVANTR>
> Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: reject: RCPT from
> unknown[93.85.224.123]: 550 5.1.1 <b...
> <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com
> <http://abc.com>>: Recipient address
> rejected: User unknown in virtual mailbox table;
> from=<atoll...
> <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@roulottes-moulin-de-cheni.com
> <http://roulottes-moulin-de-cheni.com>> to=<b...
> <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com
> <http://abc.com>>
> proto=SMTP helo=<WIVANTR>
> Jul 29 15:00:15 mail postfix/smtpd[2451]: NOQUEUE: filter: RCPT from
> unknown[93.85.224.123]: <unknown[93.85.224.123]>: Client host triggers
> FILTER dspam:dspam; from=<finise...
> <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@rfstech.com
> <http://rfstech.com>>
> to=<conning...
> <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com
> <http://abc.com>> proto=SMTP helo=<JYMQMAWNRE>
> Jul 29 15:00:15 mail postfix/smtpd[2451]: NOQUEUE: reject: RCPT from
> unknown[93.85.224.123]: 550 5.1.1 <conning...
> <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com
> <http://abc.com>>: Recipient
> address rejected: User unknown in virtual mailbox table;
> from=<finise...

logs are much easier to read if you press the [plain text]
button when posting from gmail.

No need to ever accept mail from this client.

$ host 93.85.224.123
Host 123.224.85.93.in-addr.arpa not found: 3(NXDOMAIN)

The host has no reverse DNS and could be rejected with
reject_unknown_reverse_client_hostname.  Some big ISPs reject
such clients, so this is somewhat unlikely to reject legit mail.
http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname

The client is listed in several RBLs.  Adding
  reject_rbl_client zen.spamhaus.org
to one of your smtpd_*_restrictions would get rid of them and
lots of other junk.  There are other RBLs you might consider,
but currently zen is the most effective with a very low false
positive rate.
http://www.postfix.org/postconf.5.html#reject_rbl_client
http://www.spamhaus.org/organization/dnsblusage.html

And finally, reducing smtpd_hard_error_limit to something
between 1..5 would hang up on a client after that many
bad recipients.
http://www.postfix.org/postconf.5.html#smtpd_hard_error_limit

After these things, then you can look at implementing fail2ban
or similar.  But do the basics first.

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Directory Harvest

Benny Pedersen
In reply to this post by Roman Gelfand-2

On Thu, July 30, 2009 00:59, Roman Gelfand wrote:
> It looks like somebody is trying to figure out my internal users as
> evidenced by log excerpts below.  Is there something I could do to, if
> not prevent this, reduce it?

reject more helo ?

the shown logs was all not fqdn helo


--
xpoint

Reply | Threaded
Open this post in threaded view
|

Re: Directory Harvest

Ralf Hildebrandt
In reply to this post by Roman Gelfand-2
* Evan Platt <[hidden email]>:

> At 03:59 PM 7/29/2009, you wrote:
> >It looks like somebody is trying to figure out my internal users as
> >evidenced by log excerpts below.  Is there something I could do to, if
> >not prevent this, reduce it?
>
> If  you're seeing a lot of attempts, I say just block them in your firewall...
>
> # whois 93.85.224.123
>
> OrgName:    RIPE Network Coordination Centre
> OrgID:      RIPE
> Address:    P.O. Box 10096
> City:       Amsterdam
> StateProv:
> PostalCode: 1001EB
> Country:    NL
>
> ReferralServer: whois://whois.ripe.net:43
>
> NetRange:   93.0.0.0 - 93.255.255.255
> CIDR:       93.0.0.0/8

Your whois is broken:
inetnum:        93.85.224.0 - 93.85.231.255
netname:        BELPAK
descr:          Republican Unitary Enterprise BELTELECOM
descr:          MINSK branch
descr:          Republic of Belarus
country:        BY
admin-c:        DG1612-RIPE
tech-c:         OB1713-RIPE
status:         ASSIGNED PA
mnt-by:         AS6697-MNT
source:         RIPE # Filtered

person:       Dmitry Gorbukov
address:      Belarus
address:      220088, Minsk
address:      ul. Zaharova, 57
address:      UC MINSKOBLTELECOM
phone:        +375 17 5001131
fax-no:       +375 17 5001193
e-mail:       [hidden email]
nic-hdl:      DG1612-RIPE
mnt-by:       AS6697-MNT
source:       RIPE # Filtered

person:         Oleg Bylina
address:        Belarus
address:        220088, Minsk
address:        ul. Zaharova, 57
address:        UC MINSKOBLTELECOM
phone:          +375 17 5001383
fax-no:         +375 17 5001193
e-mail:         [hidden email]
nic-hdl:        OB1713-RIPE
mnt-by:         AS6697-MNT
source:         RIPE # Filtered


--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: Directory Harvest

Clunk Werclick
On Thu, 2009-07-30 at 08:59 +0200, Ralf Hildebrandt wrote:

> * Evan Platt <[hidden email]>:
> > At 03:59 PM 7/29/2009, you wrote:
> > >It looks like somebody is trying to figure out my internal users as
> > >evidenced by log excerpts below.  Is there something I could do to, if
> > >not prevent this, reduce it?
> >
> > If  you're seeing a lot of attempts, I say just block them in your firewall...
> >
> > # whois 93.85.224.123
> >
> > OrgName:    RIPE Network Coordination Centre
> > OrgID:      RIPE
> > Address:    P.O. Box 10096
> > City:       Amsterdam
> > StateProv:
> > PostalCode: 1001EB
> > Country:    NL
> >
> > ReferralServer: whois://whois.ripe.net:43
> >
> > NetRange:   93.0.0.0 - 93.255.255.255
> > CIDR:       93.0.0.0/8
>
> Your whois is broken:
> inetnum:        93.85.224.0 - 93.85.231.255
> netname:        BELPAK
> descr:          Republican Unitary Enterprise BELTELECOM
> descr:          MINSK branch
> descr:          Republic of Belarus
> country:        BY
> admin-c:        DG1612-RIPE
> tech-c:         OB1713-RIPE
> status:         ASSIGNED PA
> mnt-by:         AS6697-MNT
> source:         RIPE # Filtered
>
> person:       Dmitry Gorbukov
> address:      Belarus
> address:      220088, Minsk
> address:      ul. Zaharova, 57
> address:      UC MINSKOBLTELECOM
> phone:        +375 17 5001131
> fax-no:       +375 17 5001193
> e-mail:       [hidden email]
> nic-hdl:      DG1612-RIPE
> mnt-by:       AS6697-MNT
> source:       RIPE # Filtered
>
> person:         Oleg Bylina
> address:        Belarus
> address:        220088, Minsk
> address:        ul. Zaharova, 57
> address:        UC MINSKOBLTELECOM
> phone:          +375 17 5001383
> fax-no:         +375 17 5001193
> e-mail:         [hidden email]
> nic-hdl:        OB1713-RIPE
> mnt-by:         AS6697-MNT
> source:         RIPE # Filtered
>
Apart from the IPTables a more autonomous fix could be done with the
(improper ?) use of Anvil. Any more than X connections in a couple of
minutes and goodnight sweetheart.

This combined with max errors perhaps?
--
-----------------------------------------------------------

C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.



Reply | Threaded
Open this post in threaded view
|

Re: Directory Harvest

Barney Desmond
> Apart from the IPTables a more autonomous fix could be done with the
> (improper ?) use of Anvil. Any more than X connections in a couple of
> minutes and goodnight sweetheart.

This is generally strongly advised against. anvil is a DoS-protection
mechanism, not a rate-limit tool - it exists to help prevent runaway
conditions. If you attempt to use it for controlling "bad behaviour",
it'll bite you when you start getting a lot of legitimate mail from
one source (eg. qmail is known to make one connection per recipient:
http://www.lifewithqmail.org/lwq.html#multi-rcpt)
Reply | Threaded
Open this post in threaded view
|

Re: Directory Harvest

Roman Gelfand-2
In reply to this post by Noel Jones-2
This is excellent.  If you have other non-content spam filtering suggestion, I would greatly appreciate it.

On Wed, Jul 29, 2009 at 9:23 PM, Noel Jones <[hidden email]> wrote:
Roman Gelfand wrote:
It looks like somebody is trying to figure out my internal users as
evidenced by log excerpts below.  Is there something I could do to, if
not prevent this, reduce it?

Thanks in advance

Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: reject: RCPT from
unknown[93.85.224.123]: 550 5.1.1 <atil... <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com <http://abc.com>>: Recipient address

rejected: User unknown in virtual mailbox table;
from=<atoll... <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@roulottes-moulin-de-cheni.com <http://roulottes-moulin-de-cheni.com>> to=<atil... <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com <http://abc.com>>

proto=SMTP helo=<WIVANTR>
Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: filter: RCPT from
unknown[93.85.224.123]: <unknown[93.85.224.123]>: Client host triggers
FILTER dspam:dspam; from=<atoll... <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@roulottes-moulin-de-cheni.com <http://roulottes-moulin-de-cheni.com>>
to=<b... <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com <http://abc.com>> proto=SMTP helo=<WIVANTR>

Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: reject: RCPT from
unknown[93.85.224.123]: 550 5.1.1 <b... <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com <http://abc.com>>: Recipient address

rejected: User unknown in virtual mailbox table;
from=<atoll... <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@roulottes-moulin-de-cheni.com <http://roulottes-moulin-de-cheni.com>> to=<b... <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com <http://abc.com>>

proto=SMTP helo=<WIVANTR>
Jul 29 15:00:15 mail postfix/smtpd[2451]: NOQUEUE: filter: RCPT from
unknown[93.85.224.123]: <unknown[93.85.224.123]>: Client host triggers
FILTER dspam:dspam; from=<finise... <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@rfstech.com <http://rfstech.com>>
to=<conning... <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com <http://abc.com>> proto=SMTP helo=<JYMQMAWNRE>

Jul 29 15:00:15 mail postfix/smtpd[2451]: NOQUEUE: reject: RCPT from
unknown[93.85.224.123]: 550 5.1.1 <conning... <http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d>@abc.com <http://abc.com>>: Recipient

address rejected: User unknown in virtual mailbox table;
from=<finise...

logs are much easier to read if you press the [plain text] button when posting from gmail.

No need to ever accept mail from this client.

$ host 93.85.224.123
Host 123.224.85.93.in-addr.arpa not found: 3(NXDOMAIN)

The host has no reverse DNS and could be rejected with reject_unknown_reverse_client_hostname.  Some big ISPs reject such clients, so this is somewhat unlikely to reject legit mail.
http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname

The client is listed in several RBLs.  Adding
 reject_rbl_client zen.spamhaus.org
to one of your smtpd_*_restrictions would get rid of them and lots of other junk.  There are other RBLs you might consider, but currently zen is the most effective with a very low false positive rate.
http://www.postfix.org/postconf.5.html#reject_rbl_client
http://www.spamhaus.org/organization/dnsblusage.html

And finally, reducing smtpd_hard_error_limit to something between 1..5 would hang up on a client after that many
bad recipients.
http://www.postfix.org/postconf.5.html#smtpd_hard_error_limit

After these things, then you can look at implementing fail2ban or similar.  But do the basics first.

 -- Noel Jones

Reply | Threaded
Open this post in threaded view
|

Re: Directory Harvest

Noel Jones-2
Roman Gelfand wrote:
> This is excellent.  If you have other non-content spam filtering
> suggestion, I would greatly appreciate it.

You post in HTML, and you top-post.  Please observe list
etiquette if you want further answers.

As someone else already pointed out, the client also used a
unqualified HELO command.

The logs are nearly impossible to read due to your inability
to press the "plain text" gmail button, but this snippit;

 >         proto=SMTP helo=<WIVANTR>


illustrates the issue.

You can reject this with reject_non_fqdn_helo_hostname.  See:
http://www.postfix.org/postconf.5.html#reject_non_fqdn_helo_hostname
This seems fairly safe to use.

Caution: all these restrictions have at least some possibility
to reject wanted mail. Keep an eye on your logs to make sure
you don't reject stuff you want, test out restrictions for a
while with "warn_if_reject ..." to log but not reject matching
entries.