[BlueOnyx:21939] Re: SMTP freezes with AVSPAM

Michael Stauber mstauber at blueonyx.it
Wed Apr 11 15:13:04 -05 2018 

Hi Jeff,

> I have a particular 5208R with AV-SPAM 6.3.0-1. We have 
> been experiencing login attacks from China (nothing new
> there) that eventually render our SMTP server inoperative.

Yeah, attacks against SMTP-Auth easily destabilize Sendmail. :-/

> My question/suggestion: Isn’t there, or could there be, 
> an addition to the SMTP swatch routine that tries a
> AV-SPAM init in the process of trying to get the SMTP
> server running again?

There are several AM components that monitor the components of the
AV-SPAM (and Sendmail) and fire them up again if they are failing.
Between AV-SPAM 6.3.0-1 (that you have) and the current 6.3.2-1 that
mechanism also saw a few more improvements and it already works much
better.

So it might help if you upgrade to the latest version.

> Clearing the AV-SPAM database helps for a couple days, at the 
> expense of losing all the learned rules… Not liking that.
> 
> Any suggestions?

There are a couple of other ways. Here is what I do. I have a cronjob
which (about once a week) does this:

whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net
103.103.232.23 | grep origin: | cut -d ' ' -f 6 | head -1) | grep -w
"route:" | awk '{print $NF}' |sort -n > /etc/apf/glob_deny.rules

However: This is run on a 5209R, where "whois" supports the "-T"
parameter. On EL6 it doesn't.

That gives me a dump of most IPs of Chinese origin (around 404 /22 and
/24's), dumps them into the global deny rules of APF and suddenly most
of the abuse from Chinese IPs just peters out.

Another option: In the AV-SPAM in the "GeoIP"-Tab tick the checkbox
"Block Blacklist entirely" and if you're adventurous also tick "Block
Blacklist with APF" and make sure to have "CN" ticked under "Blacklist".

What it does is this: Every SMTP- or SMTP-Auth connection from a
blacklisted country will be denied by Milter-GeoIP at the SMTP level.

So it will not just deny SMTP-Auth from there, but also regular SMTP
such as incoming email from blacklisted countries.

If "Block Blacklist with APF" is ticked, then an SMTP- or SMTP-Auth
attempt from a blacklisted country will also add the originating IP into
APF and will have APF block all other connection attempts (not just SMTP).

Personally I'm drawing a line from Vienna (Austria) to Vilnius (Estonia)
and another between Saporro (Japan) to Seoul (South Korea) and block
everything between it. That cuts the "noise" down to such a degree that
I'm happy to accept that this awfully wide brush splatters some paint on
innocent bystanders.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list