Massive Attack from Brazil

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Massive Attack from Brazil

Post by estradis » 2019-06-24 10:30

Since a few days we observe an increase of unsuccessful login attempts to certain user mailboxes as well as DDOS attacks and increased flooding with spam. So far, all connections have originated in Brazil. Meanwhile the rate is about 20 logon attempts and about 300 spam delivery attempts per minute. :evil:

Since we block every external IP address after the first unsuccessful login, this rate of increase must be assumed to be a targeted attack.

The good news is that our security concept works and HMS has so far withstood all attacks. We are still relatively relaxed about the incident. 8)

For the forensic analysis, however, I'm interested in whether anyone else is affected besides us.

User avatar
mattg
Moderator
Moderator
Posts: 20300
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Massive Attack from Brazil

Post by mattg » 2019-06-24 11:22

Not affecting me (yet)

Is this only port 25, or are they trying other ports too?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: Massive Attack from Brazil

Post by estradis » 2019-06-24 11:51

We are still analyzing the ongoing attack. As soon as we have valueable results, I'll let you know. At the moment it looks like only port 25 is affected.

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Massive Attack from Brazil

Post by palinka » 2019-06-24 12:17

Any of those IPs on this list?

http://hmsfirewallbandemo.ddns.net/sear ... rch=Brazil

Buh-bye spammers... :mrgreen:

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: Massive Attack from Brazil

Post by estradis » 2019-06-24 13:43

From midnight until now there have been almost 700 incidents for certain users and they don't only affect port 25. We now classify this as a "real" attack on our users.

We have enough data collected and are ending this by banning all addresses from Brazil until further notice.

palinka wrote:
2019-06-24 12:17
Any of those IPs on this list?

http://hmsfirewallbandemo.ddns.net/sear ... rch=Brazil

Buh-bye spammers... :mrgreen:
Don't know, might be.

And by the way, I'm not talking about spammers! :roll:

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Massive Attack from Brazil

Post by palinka » 2019-06-24 13:48

estradis wrote:
2019-06-24 13:43
And by the way, I'm not talking about spammers! :roll:
When the gate is closed it's closed. Chickens on one side, foxes on the other. :mrgreen:

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Massive Attack from Brazil

Post by palinka » 2019-06-24 13:51

estradis wrote:
2019-06-24 13:43

We have enough data collected and are ending this by banning all addresses from Brazil until further notice.
By the way, out of curiosity, by what method do you block addresses by country?

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: Massive Attack from Brazil

Post by estradis » 2019-06-24 14:34

palinka wrote:
2019-06-24 13:51
estradis wrote:
2019-06-24 13:43

We have enough data collected and are ending this by banning all addresses from Brazil until further notice.
By the way, out of curiosity, by what method do you block addresses by country?
GeoIP, directly on the firewall cluster. (It's a payed service.)

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Massive Attack from Brazil

Post by palinka » 2019-06-24 14:54

Ok thanks.

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: Massive Attack from Brazil

Post by estradis » 2019-06-28 14:55

After a more detailed examination of all our log files, we discoverd that there was a secondary attack on our company that occurred within the network address 185.222.211.0/24, which also is located in Brazil. The secondary attack was not limited to hms. All protocols (smtp, imap, https) were tested as well as exploits, but fortunatly they don't broke through. (Our security concept rocks! :mrgreen: :mrgreen: :mrgreen: )

For legal reasons, we cannot publicly recommend banning the 185.222.211.0/24 network, but I guess each postmaster or admin should be able to make their own decision.

User avatar
mattg
Moderator
Moderator
Posts: 20300
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Massive Attack from Brazil

Post by mattg » 2019-06-28 16:09

This website says that that set of IP addresses is from the Seychelles, not from Brazil
https://gwhois.org/185.222.211.0+dns

A long, long way from Brazil
(Seychelles is a island group in the Indian Ocean, closest continent is Africa)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Massive Attack from Brazil

Post by palinka » 2019-06-28 23:36

mattg wrote:
2019-06-28 16:09
This website says that that set of IP addresses is from the Seychelles, not from Brazil
https://gwhois.org/185.222.211.0+dns

A long, long way from Brazil
(Seychelles is a island group in the Indian Ocean, closest continent is Africa)
I've noticed that different geoip services use different datasets, and when there is a discrepancy they all have one of 2 different results. This suggests there are 2 main databases they all draw from.

I just looked at results from ip-api.com which also said Seychelles, and ipapi.com which said England however the geo coordinates matched for both results. Are the Seychelles a British territory still? Neither said Brazil.

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: Massive Attack from Brazil

Post by SorenR » 2019-06-29 00:27

palinka wrote:
2019-06-28 23:36
mattg wrote:
2019-06-28 16:09
This website says that that set of IP addresses is from the Seychelles, not from Brazil
https://gwhois.org/185.222.211.0+dns

A long, long way from Brazil
(Seychelles is a island group in the Indian Ocean, closest continent is Africa)
I've noticed that different geoip services use different datasets, and when there is a discrepancy they all have one of 2 different results. This suggests there are 2 main databases they all draw from.

I just looked at results from ip-api.com which also said Seychelles, and ipapi.com which said England however the geo coordinates matched for both results. Are the Seychelles a British territory still? Neither said Brazil.
I noticed that I sometimes get two results when querying zz.countries.nerd.dk. I presume it's to do with physical datacenter and owner company being in two different countries.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Massive Attack from Brazil

Post by palinka » 2019-06-29 00:33

SorenR wrote:
2019-06-29 00:27
palinka wrote:
2019-06-28 23:36
mattg wrote:
2019-06-28 16:09
This website says that that set of IP addresses is from the Seychelles, not from Brazil
https://gwhois.org/185.222.211.0+dns

A long, long way from Brazil
(Seychelles is a island group in the Indian Ocean, closest continent is Africa)
I've noticed that different geoip services use different datasets, and when there is a discrepancy they all have one of 2 different results. This suggests there are 2 main databases they all draw from.

I just looked at results from ip-api.com which also said Seychelles, and ipapi.com which said England however the geo coordinates matched for both results. Are the Seychelles a British territory still? Neither said Brazil.
I noticed that I sometimes get two results when querying zz.countries.nerd.dk. I presume it's to do with physical datacenter and owner company being in two different countries.
If I'm correct about there being 2 "master" databases, maybe zz.countries.nerd.dk uses both and just ignores conflicts?

User avatar
mattg
Moderator
Moderator
Posts: 20300
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Massive Attack from Brazil

Post by mattg » 2019-06-29 04:21

palinka wrote:
2019-06-28 23:36
Are the Seychelles a British territory still? Neither said Brazil.
Yes
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: Massive Attack from Brazil

Post by jimimaseye » 2019-06-29 08:49

mattg wrote:
2019-06-29 04:21
palinka wrote:
2019-06-28 23:36
Are the Seychelles a British territory still? Neither said Brazil.
Yes
No. We have been giving places up left right and centre. :roll:
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
johang
Normal user
Normal user
Posts: 81
Joined: 2008-09-01 09:20

Re: Massive Attack from Brazil

Post by johang » 2019-06-30 11:48

palinka wrote:
2019-06-29 00:33
SorenR wrote:
2019-06-29 00:27
palinka wrote:
2019-06-28 23:36


I've noticed that different geoip services use different datasets, and when there is a discrepancy they all have one of 2 different results. This suggests there are 2 main databases they all draw from.

I just looked at results from ip-api.com which also said Seychelles, and ipapi.com which said England however the geo coordinates matched for both results. Are the Seychelles a British territory still? Neither said Brazil.
I noticed that I sometimes get two results when querying zz.countries.nerd.dk. I presume it's to do with physical datacenter and owner company being in two different countries.
If I'm correct about there being 2 "master" databases, maybe zz.countries.nerd.dk uses both and just ignores conflicts?
there is no master for geolocation data; "everyone" ( commercial or non-commercial geolocation provider ) makes their own database..

data might(usually) come from the IP/inetnum allocations done by the RIRs.. that is RIPE; ARIN; APNIC; lacnic; AFRINIC; the "geoloc" attribute is however not mandatory in their databases, and if you are a geoloc-provider you build your database upon the RIRS provided data and propabally add possibility for people or organisations to report "errors" ( according to their knowledge or belief ) of where the IPs actually reside, ( many of these geoloc-providers say they have agreeements with ISPs so they get right information ), so depending on who updated what and when .. you get different results

and then on top of that you have "people" try getting a set of the geoloc-providers ( typically: MaxMind, GooGle, IP2 Location, IPligence, db-ip, eurekapi, ipinfodb, and others ) and match them against each other to get a more "true" database

and of course you have the interesting possibility of a geoloc provider to "answer" you with different answers when you query.. ( could be their internal data structure not being in sync or their "upstream" provider not having their data in sync )

but.. now with this answer we are WAY off from original posters question
but if i was interested i would check out; geoipify.whoisxmlapi.com geo.ipify.org IPInfo.io DB-IP.com IP2Location.com IPData.co IPGeolocation.io Ipapi.com IPStack.com ClearIP.io IPWhois.io ; some of them provide web-api some of them .. an api ..
,
,
______________________________________________________________end of the line

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Massive Attack from Brazil

Post by palinka » 2019-06-30 12:38

Thanks for the explanation. Very informative.

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: Massive Attack from Brazil

Post by SorenR » 2019-06-30 16:31

geoipify.whoisxmlapi.com - 1.000 requests monthly free.
geo.ipify.org -1.000 requests monthly free.
IPInfo.io - Free plan for 1,000 requests a day to our API and it's for non-commercial use.
DB-IP.com - No free plan.
IP2Location.com - No free plan.
IPData.co - 1.500 requests daily free.
IPGeolocation.io - Developer plan. 1K Requests Per Day Free.
Ipapi.com - Free 10.000 Lookups per Month.
IPStack.com - Free 10.000 Lookups per Month.
ClearIP.io - *Free account provides up to 50k lookups per month.
IPWhois.io - Our API is free for up to 10,000 requests per month (IP and REFERER identification).
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Massive Attack from Brazil

Post by palinka » 2019-06-30 16:47

ip-api.com - unlimited lookups free but rate limited to 150/ minute. Bonus: no account / api key necessary. :D

I hit the rate limit once from a single ip. Since then, I:
1) disconnect with RvdH's disconnect.exe
2) autoban for 1 hour

I think that will prevent rate limiting under the same circumstances (single ip connecting again and again within a single minute). Bonus #2: it prevents redundant ip entries in my firewall ban database and therefore also prevents redundant ips in the firewall rules. :D

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: Massive Attack from Brazil

Post by SorenR » 2019-06-30 17:33

palinka wrote:
2019-06-30 16:47
ip-api.com - unlimited lookups free but rate limited to 150/ minute. Bonus: no account / api key necessary. :D

I hit the rate limit once from a single ip. Since then, I:
1) disconnect with RvdH's disconnect.exe
2) autoban for 1 hour

I think that will prevent rate limiting under the same circumstances (single ip connecting again and again within a single minute). Bonus #2: it prevents redundant ip entries in my firewall ban database and therefore also prevents redundant ips in the firewall rules. :D
I believe api.clearip.io focus on a different audience :mrgreen:

ip-api.com:

Code: Select all

{
	"as":"AS63949 Linode, LLC",
	"city":"London",
	"country":"United Kingdom",
	"countryCode":"GB",
	"isp":"Linode, LLC",
	"lat":51.5074,
	"lon":-0.127758,
	"org":"Linode, LLC",
	"query":"109.74.192.170",
	"region":"ENG",
	"regionName":"England",
	"status":"success",
	"timezone":"Europe/London",
	"zip":"W1B"
}
api.clearip.io:

Code: Select all

{
	"ip_address":"109.74.192.170",
	"country":"United Kingdom",
	"continent":"Europe",
	"country_flag":"????", <== It's really an icon
	"CountryCode":"GB",
	"City":"St Andrews",
	"Region":"Scotland",
	"lat":56.33871,
	"lng":-2.79902,
	"tz":"",
	"isp":"Linode, LLC",
	"is_anonymous_proxy":false,
	"is_satellite_provider":false,
	"currency":["GBP"],
	"country_details":{
		"name":{
			"common":"United Kingdom",
			"official":"United Kingdom of Great Britain and Northern Ireland",
			"Native":{
				"eng":{
					"common":"United Kingdom",
					"official":"United Kingdom of Great Britain and Northern Ireland"
				}
			}
		},
		"EuMember":true,
		"LandLocked":false,
		"Nationality":"",
		"tld":[".uk"],
		"Languages":{
			"eng":"English"
		},
		"Translations":{
			"FRA":{
				"common":"Royaume-Uni",
				"official":"Royaume-Uni de Grande-Bretagne et d'Irlande du Nord"
			},
			"HRV":{
				"common":"Ujedinjeno Kraljevstvo",
				"official":"Ujedinjeno Kraljevstvo Velike Britanije i Sjeverne Irske"
			},
			"ITA":{
				"common":"Regno Unito",
				"official":"Regno Unito di Gran Bretagna e Irlanda del Nord"
			},
			"NLD":{
				"common":"Verenigd Koninkrijk",
				"official":"Verenigd Koninkrijk van Groot-Brittannië en Noord-Ierland"
			},
			"POR":{
				"common":"Reino Unido",
				"official":"Reino Unido da Grã-Bretanha e Irlanda do Norte"
			},
			"RUS":{
				"common":"??????????????",
				"official":"??????????? ??????????? ?????????????? ? ???????? ????????"
			},
			"SPA":{
				"common":"Reino Unido",
				"official":"Reino Unido de Gran Bretaña e Irlanda del Norte"
			}
		},
		"currency":["GBP"],
		"Borders":["IRL"],
		"cca2":"GB",
		"cca3":"GBR",
		"CIOC":"GBR",
		"CCN3":"826",
		"callingCode":["44"],
		"InternationalPrefix":"00",
		"region":"Europe",
		"subregion":"Northern Europe",
		"Continent":"Europe",
		"capital":"London",
		"Area":242900,
		"longitude":"2 00 W",
		"latitude":"54 00 N",
		"MinLongitude":-13.65,
		"MinLatitude":49.86667,
		"MaxLongitude":2.866667,
		"MaxLatitude":61.5,
		"Latitude":54.560886,
		"Longitude":-2.2125118
	}
}
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Massive Attack from Brazil

Post by palinka » 2019-07-02 23:24

palinka wrote:
2019-06-30 16:47

1) disconnect with RvdH's disconnect.exe
2) autoban for 1 hour

I think that will prevent rate limiting under the same circumstances (single ip connecting again and again within a single minute).
This is not perfect. Since putting it place i went several days without a single duplicate hit. Then today i had two IPs make duplicate hits. In both cases the duplicate connections arrived at the same time down to the same millisecond according to hmailserver log. One of those simultaneous connections got killed immediately and the other died several seconds later. However, all subsequent connections from those IPs were blocked by autoban so at least the damage was limited.

Die, spammer, die!

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: Massive Attack from Brazil

Post by SorenR » 2019-07-02 23:43

palinka wrote:
2019-07-02 23:24
palinka wrote:
2019-06-30 16:47

1) disconnect with RvdH's disconnect.exe
2) autoban for 1 hour

I think that will prevent rate limiting under the same circumstances (single ip connecting again and again within a single minute).
This is not perfect. Since putting it place i went several days without a single duplicate hit. Then today i had two IPs make duplicate hits. In both cases the duplicate connections arrived at the same time down to the same millisecond according to hmailserver log. One of those simultaneous connections got killed immediately and the other died several seconds later. However, all subsequent connections from those IPs were blocked by autoban so at least the damage was limited.

Die, spammer, die!
That's why I build session locking into AutoBan to avoid errors and stuff. :wink:

==> With LockFile(TEMPDIR & "\autoban.lck") <==

Well, that's not the whole truth - LockFile was conceived when I made my custom logger to prevent one session merging log lines with another session. :mrgreen:

Code: Select all

Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
   '
   '   sType can be one of the following;
   '   "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
   '
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   With LockFile(TEMPDIR & "\autoban.lck")
      On Error Resume Next
      Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress)
      If Err.Number = 9 Then
         With oApp.Settings.SecurityRanges.Add
            .Name = "(" & sReason & ") " & sIPAddress
            .LowerIP = sIPAddress
            .UpperIP = sIPAddress
            .Priority = 20
            .Expires = True
            .ExpiresTime = DateAdd(sType, iDuration, Now())
            .Save
         End With
         AutoBan = True
      End If
      On Error Goto 0
      .Close
   End With
   Set oApp = Nothing
End Function
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Massive Attack from Brazil

Post by palinka » 2019-07-03 01:03

I use it. :D

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: Massive Attack from Brazil

Post by estradis » 2019-07-03 09:51

mattg wrote:
2019-06-28 16:09
This website says that that set of IP addresses is from the Seychelles, not from Brazil
https://gwhois.org/185.222.211.0+dns

A long, long way from Brazil
(Seychelles is a island group in the Indian Ocean, closest continent is Africa)
You' re damn right. Probably I had another IP address open and just read "Brazil" and then mistook it. Ironically, the attacks stopped when I blocked Brazil via GeoIP. That's why I didn't notice the mistake.

At the moment there is silence. But when it starts again, I have absolutely no problem blocking the Seychelles as well ...

Post Reply