Further Locking Down Email
-
@Kubernetes said in Further Locking Down Email:
@JLX89 is referring to "(Connection denied. No such address) ". This is incoming spam, and not tries to brute force an mailbox account.
That is correct
-
@JLX89 You would only see successful outbound spam attempts in the event log and that is when you might want to be concerned. If your accounts are secure that should never happen though. Unsuccessful authentication attempts only show up in the mail logs.
In general I would say that Cloudron's mailserver implementation does a very good job at blocking unwanted connections. A mailserver by its nature has to be able to receive unauthenticated connections from other servers, which is why good filters and blocking are important. The thousands of attempts to deliever spam are just something we have to live with.
-
-
Has anyone else been getting hit a lot recently with spam connections?
What I find peculiar is the consistency in type of random connection attempts. What do you think one is trying to achieve by trying random aliases/accounts in this fashion? It's not even remotely close to real world accounts, just random strings of letters and numbers of similar length.These are coming from IP addresses in all sorts of countries - Hong Kong, Bangladesh, Russia, United States, Netherlands, South Korea, etc. Makes me think it's from some type of botnet.
-
I've seen this a couple of times this year. If you look in the logs you will see that the same IP attempts to send mails to 100 non-existent addresses on each connection. The sending addresses are almost always from .ru domains but the actual relaying computers (i.e. the computers compromised by the botnet) are mostly also in India, Brazil, Pakistan and Vietnam. There is nothing you can do about this. The mailserver is correctly rejecting the attempted delivery and the annoyance will probably just stop after 7 - 10 days.
-
Another thing that's interesting is it's hitting all my domains activated for email. Despite some of them basically never ever being used or given out. It's like a bot has harvested all the domains associated to my Cloudron instance somehow. Could this be something akin to the domain TLS cert info harvesting method (think solved now)? Some method to centrally obtain all in-use domains operating on the server
-
@xarp note that all newly registered domains and new cert issuances are basically available online. For example, https://crt.sh/ and https://certstream.calidog.io/ . https://dnpedia.com/tlds/daily.php shows newly registered domains... It's easy to get lists from those sites and feed them into some bot code.
-
@girish said in Further Locking Down Email:
@xarp note that all newly registered domains and new cert issuances are basically available online. For example, https://crt.sh/ and https://certstream.calidog.io/ . https://dnpedia.com/tlds/daily.php shows newly registered domains... It's easy to get lists from those sites and feed them into some bot code.
That's it, that'll do it. Thanks for the reminder.
-
-
A general question. Is it ok to maintain the file "/home/yellowtent/platformdata/firewall/blocklist.txt" manually via a terminal as well? Since I unfortunately now maintain a larger list and the UI throws an error when saving. Also, I would like to automate that this is distributed over multiple instances. And this would help with that.
-