vqadmin home : internet : mail : toaster : FAQ : how do I block abusive users? how do I survive a joe-job attack?

On the mailing list, Jim asked:

How do you stop something like this? Looks like some bonehead is trying to authenticate in order to relay email. This is just a snipett, it goes alot longer.

  • vpopmail[76811]: vchkpw-pop3: vpopmail user not found admin@:196.22.178.94
  • vpopmail[76814]: vchkpw-pop3: vpopmail user not found webmaster@:196.22.178.94

Tor did some research and returned with:

196.22.178.94 belongs to a South African ADSL pool (NetActive). You probably don't want any mail from that range, so put something like this somewhere near the top of /usr/local/vpopmail/etc/tcp.smtp (after your whitelisted netblocks, if any):

  • 196.22.160-239.:allow,RBLSMTPD="-NetActive ADSL dynamic IP blocked."

After that, do a 'qmail cdb'. Connection attempts to port 25 from that range will then be politely told to go shove it.

Matt also suggested:

Yes, that will certainly prevent a relay on port 25 and 587, but if the bonehead does get a successful authentication, they'll still be able to use it to relay using webmail, right? If it didn't happen all the time, I could ignore such scenarios, but them spammers are nothing if not persistent.

The best solution for this is making sure you enforce secure passwords. If you haven't done this, and can't for some reason, then I'd also block their connections to my POP3 server. After all, with qmail-pop3d, we're running under tcpserver so I'd imagine it's pretty easy to use a tcp.pop3 file to block connections to miscreants.

You can keep going and set up courier (man couriertcpd) to block their IP space, and finally, do the same with Apache and just refuse them connections to your system.

Finally, another less attractive alternative is blocking them to your system (or network) via a firewall, like IPFW. I personally don't recommend that, as I prefer to return a "your connection has been blocked due to network abuse" error message.


Last modified on 4/19/05.