Further Locking Down Email

girish

@xarp indeed, looks like a botnet. I guess it's fine because they are getting rejected anyway. Servers in the wild internet have to deal with all sorts of crazy things like this.

ccfu

I've seen this a couple of times this year. If you look in the logs you will see that the same IP attempts to send mails to 100 non-existent addresses on each connection. The sending addresses are almost always from .ru domains but the actual relaying computers (i.e. the computers compromised by the botnet) are mostly also in India, Brazil, Pakistan and Vietnam. There is nothing you can do about this. The mailserver is correctly rejecting the attempted delivery and the annoyance will probably just stop after 7 - 10 days.

xarp

Another thing that's interesting is it's hitting all my domains activated for email. Despite some of them basically never ever being used or given out. It's like a bot has harvested all the domains associated to my Cloudron instance somehow. Could this be something akin to the domain TLS cert info harvesting method (think solved now)? Some method to centrally obtain all in-use domains operating on the server

JLX89

@xarp I've noticed this quite a bit also.

robi

if you don't do communications with some of those countries, ie no reason to email China, there are blocklists you can add to the firewall all the IP ranges.

girish

@xarp note that all newly registered domains and new cert issuances are basically available online. For example, https://crt.sh/ and https://certstream.calidog.io/ . https://dnpedia.com/tlds/daily.php shows newly registered domains... It's easy to get lists from those sites and feed them into some bot code.

xarp

@girish said in Further Locking Down Email:

@xarp note that all newly registered domains and new cert issuances are basically available online. For example, https://crt.sh/ and https://certstream.calidog.io/ . https://dnpedia.com/tlds/daily.php shows newly registered domains... It's easy to get lists from those sites and feed them into some bot code.

That's it, that'll do it. Thanks for the reminder.

MisterJD

A general question. Is it ok to maintain the file "/home/yellowtent/platformdata/firewall/blocklist.txt" manually via a terminal as well? Since I unfortunately now maintain a larger list and the UI throws an error when saving. Also, I would like to automate that this is distributed over multiple instances. And this would help with that.

girish

@MisterJD What error is the UI throwing? How many IPs are you trying to blocklist? Maybe we need to increase the upload size.

MisterJD

@girish "Error setting blocklist: setBlocklist exited with code 1 signal null"
My blocklist is pretty big at the moment, I need to clean it up. At some point I started blocking whole ranges from countries I don't expect access from anyway.

girish

@MisterJD yeah, I have seen that some kernels have an upper limit. I haven't found a way to query this limit to show a proper error.