Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Further Locking Down Email

Further Locking Down Email

Scheduled Pinned Locked Moved Solved Support
mailspam
20 Posts 7 Posters 3.0k Views 7 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • X Offline
    X Offline
    xarp
    wrote on last edited by xarp
    #9

    Has anyone else been getting hit a lot recently with spam connections?
    What I find peculiar is the consistency in type of random connection attempts. What do you think one is trying to achieve by trying random aliases/accounts in this fashion? It's not even remotely close to real world accounts, just random strings of letters and numbers of similar length.

    spam.jpg

    These are coming from IP addresses in all sorts of countries - Hong Kong, Bangladesh, Russia, United States, Netherlands, South Korea, etc. Makes me think it's from some type of botnet.

    girishG 1 Reply Last reply
    1
    • X xarp

      Has anyone else been getting hit a lot recently with spam connections?
      What I find peculiar is the consistency in type of random connection attempts. What do you think one is trying to achieve by trying random aliases/accounts in this fashion? It's not even remotely close to real world accounts, just random strings of letters and numbers of similar length.

      spam.jpg

      These are coming from IP addresses in all sorts of countries - Hong Kong, Bangladesh, Russia, United States, Netherlands, South Korea, etc. Makes me think it's from some type of botnet.

      girishG Offline
      girishG Offline
      girish
      Staff
      wrote on last edited by
      #10

      @xarp indeed, looks like a botnet. I guess it's fine because they are getting rejected anyway. Servers in the wild internet have to deal with all sorts of crazy things like this.

      1 Reply Last reply
      1
      • C Offline
        C Offline
        ccfu
        wrote on last edited by ccfu
        #11

        I've seen this a couple of times this year. If you look in the logs you will see that the same IP attempts to send mails to 100 non-existent addresses on each connection. The sending addresses are almost always from .ru domains but the actual relaying computers (i.e. the computers compromised by the botnet) are mostly also in India, Brazil, Pakistan and Vietnam. There is nothing you can do about this. The mailserver is correctly rejecting the attempted delivery and the annoyance will probably just stop after 7 - 10 days.

        1 Reply Last reply
        0
        • X Offline
          X Offline
          xarp
          wrote on last edited by
          #12

          Another thing that's interesting is it's hitting all my domains activated for email. Despite some of them basically never ever being used or given out. It's like a bot has harvested all the domains associated to my Cloudron instance somehow. Could this be something akin to the domain TLS cert info harvesting method (think solved now)? Some method to centrally obtain all in-use domains operating on the server

          J girishG 2 Replies Last reply
          1
          • X xarp

            Another thing that's interesting is it's hitting all my domains activated for email. Despite some of them basically never ever being used or given out. It's like a bot has harvested all the domains associated to my Cloudron instance somehow. Could this be something akin to the domain TLS cert info harvesting method (think solved now)? Some method to centrally obtain all in-use domains operating on the server

            J Offline
            J Offline
            JLX89
            wrote on last edited by
            #13

            @xarp I've noticed this quite a bit also.

            1 Reply Last reply
            0
            • robiR Offline
              robiR Offline
              robi
              wrote on last edited by
              #14

              if you don't do communications with some of those countries, ie no reason to email China, there are blocklists you can add to the firewall all the IP ranges.

              Conscious tech

              1 Reply Last reply
              1
              • X xarp

                Another thing that's interesting is it's hitting all my domains activated for email. Despite some of them basically never ever being used or given out. It's like a bot has harvested all the domains associated to my Cloudron instance somehow. Could this be something akin to the domain TLS cert info harvesting method (think solved now)? Some method to centrally obtain all in-use domains operating on the server

                girishG Offline
                girishG Offline
                girish
                Staff
                wrote on last edited by
                #15

                @xarp note that all newly registered domains and new cert issuances are basically available online. For example, https://crt.sh/ and https://certstream.calidog.io/ . https://dnpedia.com/tlds/daily.php shows newly registered domains... It's easy to get lists from those sites and feed them into some bot code.

                X 1 Reply Last reply
                1
                • girishG girish

                  @xarp note that all newly registered domains and new cert issuances are basically available online. For example, https://crt.sh/ and https://certstream.calidog.io/ . https://dnpedia.com/tlds/daily.php shows newly registered domains... It's easy to get lists from those sites and feed them into some bot code.

                  X Offline
                  X Offline
                  xarp
                  wrote on last edited by
                  #16

                  @girish said in Further Locking Down Email:

                  @xarp note that all newly registered domains and new cert issuances are basically available online. For example, https://crt.sh/ and https://certstream.calidog.io/ . https://dnpedia.com/tlds/daily.php shows newly registered domains... It's easy to get lists from those sites and feed them into some bot code.

                  That's it, that'll do it. Thanks for the reminder.

                  1 Reply Last reply
                  1
                  • necrevistonnezrN necrevistonnezr referenced this topic on
                  • M Offline
                    M Offline
                    MisterJD
                    wrote on last edited by
                    #17

                    A general question. Is it ok to maintain the file "/home/yellowtent/platformdata/firewall/blocklist.txt" manually via a terminal as well? Since I unfortunately now maintain a larger list and the UI throws an error when saving. Also, I would like to automate that this is distributed over multiple instances. And this would help with that.

                    girishG 1 Reply Last reply
                    2
                    • M MisterJD

                      A general question. Is it ok to maintain the file "/home/yellowtent/platformdata/firewall/blocklist.txt" manually via a terminal as well? Since I unfortunately now maintain a larger list and the UI throws an error when saving. Also, I would like to automate that this is distributed over multiple instances. And this would help with that.

                      girishG Offline
                      girishG Offline
                      girish
                      Staff
                      wrote on last edited by
                      #18

                      @MisterJD What error is the UI throwing? How many IPs are you trying to blocklist? Maybe we need to increase the upload size.

                      M 1 Reply Last reply
                      0
                      • girishG girish

                        @MisterJD What error is the UI throwing? How many IPs are you trying to blocklist? Maybe we need to increase the upload size.

                        M Offline
                        M Offline
                        MisterJD
                        wrote on last edited by
                        #19

                        @girish "Error setting blocklist: setBlocklist exited with code 1 signal null"
                        My blocklist is pretty big at the moment, I need to clean it up. At some point I started blocking whole ranges from countries I don't expect access from anyway.

                        girishG 1 Reply Last reply
                        1
                        • M MisterJD

                          @girish "Error setting blocklist: setBlocklist exited with code 1 signal null"
                          My blocklist is pretty big at the moment, I need to clean it up. At some point I started blocking whole ranges from countries I don't expect access from anyway.

                          girishG Offline
                          girishG Offline
                          girish
                          Staff
                          wrote on last edited by
                          #20

                          @MisterJD yeah, I have seen that some kernels have an upper limit. I haven't found a way to query this limit to show a proper error.

                          1 Reply Last reply
                          0
                          Reply
                          • Reply as topic
                          Log in to reply
                          • Oldest to Newest
                          • Newest to Oldest
                          • Most Votes


                          • Login

                          • Don't have an account? Register

                          • Login or register to search.
                          • First post
                            Last post
                          0
                          • Categories
                          • Recent
                          • Tags
                          • Popular
                          • Bookmarks
                          • Search