Attack on the James Server

Wed, 07 Jun 2023 01:14:01 -0700 

I run a James mail server (james-server-spring-app-3.8.0). The log file shows 
that the server is constantly being attacked. This is normal, the server is on 
the Internet.

I was able to fend off some of the attacks via the firewall: blocking IP 
addresses or limiting access per minute (connect).

Now 2 attacks remain. In both cases there is a “connect”, then many actions, 
then the connection is closed. The IP addresses change constantly. In the 
"smtpserver.xml" file, I tried to reduce the number of accesses via 
"MaxRcptHandler", but unfortunately that doesn't work here.

Are there any out of the box options to configure something?

Here are the concrete examples from the log file (domaine.de is a dummy for my 
domaine) 

1) Rejected message. Unknown user

INFO   | jvm 1    | 2023/06/06 23:55:45 | 06-Jun-2023 23:55:45.837 INFO 
[smtpserver-io-3] 
org.apache.james.protocols.netty.BasicChannelInboundHandler.channelActive:103 - 
Connection established from 60.29.127.226
INFO   | jvm 1    | 2023/06/06 23:55:50 | 06-Jun-2023 23:55:50.400 INFO 
[smtpserver-io-3] 
org.apache.james.protocols.smtp.core.fastfail.AbstractValidRcptHandler.reject:61
 - Rejected message. Unknown user: dar...@domaine.de
INFO   | jvm 1    | 2023/06/06 23:55:50 | 06-Jun-2023 23:55:50.400 INFO 
[smtpserver-io-3] 
org.apache.james.protocols.smtp.core.log.HookResultLogger.onHookResult:45 - 
org.apache.james.smtpserver.fastfail.ValidRcptHandler: result= (DENY CONNECTED)
INFO   | jvm 1    | 2023/06/06 23:55:50 | 06-Jun-2023 23:55:50.401 INFO 
[smtpserver-io-3] 
org.apache.james.protocols.smtp.core.fastfail.AbstractValidRcptHandler.reject:61
 - Rejected message. Unknown user: daniell...@domaine.de
INFO   | jvm 1    | 2023/06/06 23:55:50 | 06-Jun-2023 23:55:50.401 INFO 
[smtpserver-io-3] 
org.apache.james.protocols.smtp.core.log.HookResultLogger.onHookResult:45 - 
org.apache.james.smtpserver.fastfail.ValidRcptHandler: result= (DENY CONNECTED)

… (202 lines in total )

INFO   | jvm 1    | 2023/06/06 23:55:50 | 06-Jun-2023 23:55:50.470 INFO 
[smtpserver-io-3] 
org.apache.james.protocols.smtp.core.fastfail.AbstractValidRcptHandler.reject:61
 - Rejected message. Unknown user: upoz3f3sx...@domaine.de
INFO   | jvm 1    | 2023/06/06 23:55:50 | 06-Jun-2023 23:55:50.471 INFO 
[smtpserver-io-3] 
org.apache.james.protocols.smtp.core.log.HookResultLogger.onHookResult:45 - 
org.apache.james.smtpserver.fastfail.ValidRcptHandler: result= (DENY CONNECTED)
INFO   | jvm 1    | 2023/06/06 23:55:51 | 06-Jun-2023 23:55:51.408 INFO 
[smtpserver-io-3] 
org.apache.james.protocols.netty.BasicChannelInboundHandler.channelInactive:143 
- Connection closed for 60.29.127.226/60.29.127.226:50151


2) Password is unverified

INFO   | jvm 1    | 2023/06/06 23:44:49 | 06-Jun-2023 23:44:49.108 INFO 
[smtpserver-io-2] 
org.apache.james.protocols.netty.BasicChannelInboundHandler.channelActive:103 - 
Connection established from 45.133.235.202
INFO   | jvm 1    | 2023/06/06 23:44:49 | 06-Jun-2023 23:44:49.333 INFO 
[smtpserver-io-2] 
org.apache.james.user.lib.UsersRepositoryImpl.lambda$test$2:155 - Could not 
retrieve user Username{localPart=root, domainPart=Optional[Domain : 
domaine.de]}. Password is unverified.
INFO   | jvm 1    | 2023/06/06 23:44:49 | 06-Jun-2023 23:44:49.333 INFO 
[smtpserver-io-2] 
org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler.doAuthTest:397 - AUTH 
method LOGIN failed from Username{localPart=root, domainPart=Optional[Domain : 
domaine.de]}@45.133.235.202
INFO   | jvm 1    | 2023/06/06 23:44:49 | 06-Jun-2023 23:44:49.512 INFO 
[smtpserver-io-2] 
org.apache.james.user.lib.UsersRepositoryImpl.lambda$test$2:155 - Could not 
retrieve user Username{localPart=root, domainPart=Optional[Domain : 
domaine.de]}. Password is unverified.
INFO   | jvm 1    | 2023/06/06 23:44:49 | 06-Jun-2023 23:44:49.512 INFO 
[smtpserver-io-2] 
org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler.doAuthTest:397 - AUTH 
method LOGIN failed from Username{localPart=root, domainPart=Optional[Domain : 
domaine.de]}@45.133.235.202

… (408 lines in total )

INFO   | jvm 1    | 2023/06/06 23:45:25 | 06-Jun-2023 23:45:25.286 INFO 
[smtpserver-io-2] 
org.apache.james.user.lib.UsersRepositoryImpl.lambda$test$2:155 - Could not 
retrieve user Username{localPart=root, domainPart=Optional[Domain : 
domaine.de]}. Password is unverified.
INFO   | jvm 1    | 2023/06/06 23:45:25 | 06-Jun-2023 23:45:25.286 INFO 
[smtpserver-io-2] 
org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler.doAuthTest:397 - AUTH 
method LOGIN failed from Username{localPart=root, domainPart=Optional[Domain : 
domaine.de]}@45.133.235.202
INFO   | jvm 1    | 2023/06/06 23:45:25 | 06-Jun-2023 23:45:25.330 INFO 
[smtpserver-io-2] 
org.apache.james.protocols.netty.BasicChannelInboundHandler.channelInactive:143 
- Connection closed for 45.133.235.202/45.133.235.202:57554


Does anyone know solutions to these problems?

Best wishes, Günter


-- 
Günter Paul

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org

Reply via email to