Help Preventing SMTP Hack

soshimo · #1 02-15-2008, 03:49 PM

I have been fighting for several days now to keep an SMTP server running on my VPS. Let me be precise, it's not the running of the SMTP that's the problem, it's the fact that after about 30 minutes of the SMTP service running inetinfo is using about 150MB memory. After about 8 hours of running I start running out of virtual memory (I increased it to 4GB). Some investigation reveals the same IP connection constantly. I block said IP, then I see another connection come in with same two octets. Hmm, reverse dns lookup reveals no PTR record anywhere for that IP. Okay, so I block the whole subdomain. Things are okay for awhile, then the server starts becomming unresponsive again so I RDP again and notice inetinfo is growing like crazy again. So I iisreset and as soon as SMTP is started again I check and sure enough another IP is connected. I mask that sub domain again and everything is fine. This cycle has repeated every day for a week now. My exception list is growing like crazy. The fact is it's in effect causing a Denial of Service since the SMTP server is taking up so much bandwidth, I feel it's an actual attack. I was able to get reverse dns info on one of them and the address had a .tw extension and it seemed to indicate a dsl provider of some kind - further suspicion that this is an attack. I really don't want to play whitehat all day so my customers can reach the server, does anyone have any idea how to prevent this, yet still allow MX records to be delivered reliably? I don't think I can run on another port than 25 as automatic delivery of MX records doesn't look at port - only IP - and assumes port 25. I do have an identity running on another port though for customers who don't have 25 outbound available (some isp's block 25 inbound/outbound other than for their servers). Any help would be appreciative - I've read every guide and best practices white paper I could find and nothing seems to work. I've turned off anon access - then my MX records don't get delivered, same is true when I remove the identy that uses port 25. It's a true cunundrum - I can either send mail, but not recieve it, or I can recieve mail but not send it without exposing myself to an all out DDoS attack.

DavidP · #2 02-25-2008, 10:32 PM

There is no good way to stop a DDoS I'm afraid. Did you get any assistance on this?

soshimo · #3 02-27-2008, 08:31 PM

No, I didn't receive any assistance, and in fact, recieved an email from the abuse department stating that my server was sending out abusive emails. I had placed a ticket prior to this happening so the response from the abuse department seemed a bit draconian. They basically said if I didn't respond to the issue in 24 hours my account would be terminated. I went ahead and opted for a refund at that point. It's a great company but I need more of a turnkey solution and don't have time to play admin all day long. I especially don't want to have an interruption in service when I go live with customers - that would be catastrophic. There may also be times when I can't monitor my email daily so I usually wont be able to respond within 24 hours. Having my account suspended/terminiated due to non-response is a show stopper for me, unfortunately. Thanks for the heads up though!

nadzri · #4 02-27-2008, 08:46 PM

If your server was sending abusive emails then it's likely the SMTP server was an open relay. Other causes could be you had a spammer as a customer, or someone was using a web based form to send out emails.

If it was an attack on your IP, perhaps a change of IP could have solved it even if it may be only temporary. Also, you could block entire subnets e.g. 205.173.*.*, not subdomains.

What I've done is block port 25 and have all my incoming emails go through an email gateway, something like the MailFOundry device here, and have all outgoing emails through another port. Of course that's an additional expense and if you have many clients it may not be a viable solution for you.