Question postfix overload, attack from chinese IPs - what to do?

[D4NY]

OS: CentOS 6.8
PLESK: 12.5

Today i received a call of a user that couldn't send mail using mail client on smtp. Checking at the services via Plesk i saw that postfix was stopped and no way to restart it from the panel. Via SSH running "service postfix restart" the service restarted correctly and the green button came back also in Plesk. But after few minutes again it was stopped. The same after rebooting the whole server. Looking at the process runnin it seems to be overloaded.

tail -f /usr/local/psa/var/log/maillog | grep sasl_username

to see who's trying to authenticate and send mails. Other times hacked mailbox sent tons of spam away but this time nothing strange... just normal users sending single mail

tail -f /usr/local/psa/var/log/maillog

to see what's happening in real time and i found hundreds of connection from different IPs to a mailbox that was full of thousands mail in chinese language. I deleted the mailbox and the postfix crash seems to be solved but on the maillog we have continue connection to that mailbox even if no more alive.

I set up fail2ban, totally deactivate the domain and blacklisted the qq.com domain but no way to stop connections all from different ips.

Please check the attached file, it's the result of the command:

tail -f /usr/local/psa/var/log/maillog | grep MYDELETEDMAILBOX

Can't understand relationships between postfix and incoming mail. What's happening?

 

[IgorG]

I'm not sure that there are ways to prevent connections from different IP addresses. You can try to close the entire range of addresses if it is one. But in general, it looks like a typical DOS which is treated only by the performance of the system if you can not use the blacklist or somehow cut it off another way.
You can try GreyListing, by the way.

 

[D4NY]

Very disappointing. Do you think that moving the website of the attacked mailbox can stop the ddos on that server? How can i activate GreyListing?

 

[IgorG]

How can i activate GreyListing?

Please read this instruction Greylisting (Linux)

 

[mr-wolf]

In the past I created scripts that were able to block many countries from South East Asia and optional other countries.
Because the script had to run on a small SoHo-router (DD-WRT) I couldn't just create thousands of rules.
It created a set of about 1500 rules.

I was able to do that by first creating several very big subnets (/5, /6, /7 and /8) and then punching some holes in them for countries like Australia.

With the iptables extension "ipset" this kind of stuff can be created more efficient and with cleaner code.

Maybe I can find some time to rewrite the code so it's easy to implement on a Plesk server.

You could Google: "dd-wrt asiablock"

I am relying on ASSP.
That's an "Anti Spam SMTP Proxy" written in Perl. It combines almost all known techniques. I'm using it for some 12+ years.

 

[D4NY]

Thank you @IgorG

@mr-wolf is it possible to set up your ASSP on a Plesk server?

 

[mr-wolf]

Yes
Wrote down some here: Resolved - ASSP integration with plesk postfix