CentOS - Jun 2012 - Sendmail SMTP Brute-Force Attack

Dear CentOS Community

Is totally clear there's no support sendmail platform today, but I need  to
stop SMTP brute-force attack on sendmail. My server is attacked today, my
maillog look like :

4624 at myserver.com>, proto=ESMTP, daemon=MTA, relay=myserver.com
[127.0.0.1]
Jun 14 19:07:01 at6412 sendmail[24627]: q5EN71jC024627: from=<>,
size=3958,
class=0, nrcpts=1, msgid=<201206142307.q5EN710u024623 at myserver.com>,
proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1]
Jun 14 19:07:23 at6412 sendmail[24868]: q5EN7M6D024868: from=<
qmarket at qmarket.cl>, size=2193, class=0, nrcpts=2, msgid=<
20120614231448.1E99A13EE5F at smtp02qmarket.qmarket.cl>, proto=ESMTP,
daemon=MTA, relay=[200.1.174.121]
Jun 14 19:07:24 at6412 sendmail[24961]: q5EN7OT4024961: from=<
nobody at 2012.123icq.cl>, size=4716, class=0, nrcpts=1, msgid=<
E1SfJ8H-0005kv-JE at 2012.123icq.cl>, proto=ESMTP, daemon=MTA,
relaypc1.globalmac.cl [200.29.231.61] (may be forged)
Jun 14 19:07:33 at6412 sendmail[25013]: q5EN7SqK025013: from=<
a.pfsvtij at yahoo.com>, size=760, class=0, nrcpts=1, msgid=<
1531549-634033-36 at owfzdl.net>, proto=SMTP, daemon=MTA,
relayh095159149119.ys.dsl.sakhalin.ru [95.159.149.119]
Jun 14 19:07:37 at6412 sendmail[25065]: q5EN7bCj025065: from=<
en.viaimport at gmail.com>, size=4531, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=186-105-73-29.baf.movistar.cl [186.105.73.29]


I need help for STOP this spamers right now.

Thanks in advance to anyone who can guide me


With Kind Regards,

     Gustavo A. Lacoste Z.
     Curacaut?n - Chile
     Skype: knxroot
     Msn & Gtalk: knx.root [at] gmail.com
     Home page: http://www.lacosox.org
- -
*Por favor, evite enviarme documentos adjuntos en formato Word o PowerPoint.
Lea http://www.gnu.org/philosophy/no-word-attachments.es.html*

On 06/14/12 4:33 PM, Gustavo Lacoste wrote:
> I need help for STOP this spamers right now.
>
> Thanks in advance to anyone who can guide me
2 of the three relay IPs listed in your log fragment are listed on 
spamhaus' Zen combined list, http://www.spamhaus.org/zen/

this is free for use by low volume non-commercial email servers. see the 
terms linked on the above URL.
adding the following line to your sendmail.mc file, then rebuilding the 
.cf and restarting sendmail would reject all mail connections from 
servers listed via Spamhaus.

FEATURE(dnsbl,`zen.spamhaus.org',`Message from $&{client_addr} rejected 
- see http://www.spamhaus.org/SBL/sbl-rationale.html') dnl


(note this file is in M4 syntax, and has to use 'funny' quoting, with a 
` as the opening quote).





-- 
john r pierce                            N 37, W 122
santa cruz ca                         mid-left coast

On 6/14/12 11:33 PM, Gustavo Lacoste wrote:
> Dear CentOS Community
>
> Is totally clear there's no support sendmail platform today, but I need
to
> stop SMTP brute-force attack on sendmail. My server is attacked today, my
> maillog look like :
>
> 4624 at myserver.com>, proto=ESMTP, daemon=MTA, relay=myserver.com
[127.0.0.1]
> Jun 14 19:07:01 at6412 sendmail[24627]: q5EN71jC024627: from=<>,
size=3958,
> class=0, nrcpts=1, msgid=<201206142307.q5EN710u024623 at
myserver.com>,
> proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1]
> Jun 14 19:07:23 at6412 sendmail[24868]: q5EN7M6D024868: from=<
> qmarket at qmarket.cl>, size=2193, class=0, nrcpts=2, msgid=<
> 20120614231448.1E99A13EE5F at smtp02qmarket.qmarket.cl>, proto=ESMTP,
> daemon=MTA, relay=[200.1.174.121]
> Jun 14 19:07:24 at6412 sendmail[24961]: q5EN7OT4024961: from=<
> nobody at 2012.123icq.cl>, size=4716, class=0, nrcpts=1, msgid=<
> E1SfJ8H-0005kv-JE at 2012.123icq.cl>, proto=ESMTP, daemon=MTA, relay>
pc1.globalmac.cl [200.29.231.61] (may be forged)
> Jun 14 19:07:33 at6412 sendmail[25013]: q5EN7SqK025013: from=<
> a.pfsvtij at yahoo.com>, size=760, class=0, nrcpts=1, msgid=<
> 1531549-634033-36 at owfzdl.net>, proto=SMTP, daemon=MTA, relay>
h095159149119.ys.dsl.sakhalin.ru [95.159.149.119]
> Jun 14 19:07:37 at6412 sendmail[25065]: q5EN7bCj025065: from=<
> en.viaimport at gmail.com>, size=4531, class=0, nrcpts=0, proto=ESMTP,
> daemon=MTA, relay=186-105-73-29.baf.movistar.cl [186.105.73.29]
>
>
> I need help for STOP this spamers right now.
>
> Thanks in advance to anyone who can guide me
>
>
> With Kind Regards,
>
>       Gustavo A. Lacoste Z.
>       Curacaut?n - Chile
>       Skype: knxroot
>       Msn&  Gtalk: knx.root [at] gmail.com
>       Home page: http://www.lacosox.org
Hi,

there are few solutions available to do this.

1.) install & configure fail2ban

2.) Using IP Tables: i don't know if it is applicable to you

# Fix in Place to Kick a User For 1 Minutes After Three Errors in The 
SMTP Session
# And Limit The Number of Connections Someone Could Make With a Simple 
IP Tables Rule

-A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update 
--seconds 60 --hitcount 3 -j DROP
-A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set

i trust this helps, there is another solution but you do not use Postfix.

# How many simultaneous connections any client is allowed to make to 
this service.
smtpd_client_connection_count_limit = 3

# The maximal number of connection attempts any client is allowed to 
make to this service per time unit.
smtpd_client_connection_rate_limit = 10

# The maximal number of message delivery requests that any client is 
allowed to make to this service per time unit, regardless of whether or
# not Postfix actually accepts those messages.
smtpd_client_message_rate_limit = 20

# The maximal number of recipient addresses that any client is allowed 
to send to this service per time unit, regardless of whether or not
# Postfix actually accepts those recipients.
smtpd_client_recipient_rate_limit = 500

# Clients that are excluded from connection count, connection rate, or 
SMTP request rate restrictions.
smtpd_client_event_limit_exceptions = $mynetworks

Thanks