How to find source of attack on Amavis

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
mrgreiner
Posts: 23
Joined: Sat Sep 13, 2014 2:56 am

How to find source of attack on Amavis

Postby mrgreiner » Wed Oct 30, 2019 3:26 pm

Hi,

for the last 12 hours, Amavis has been trowing the following messages on zimbra.log:

Oct 30 12:02:46 zimbra amavis[9683]: (09683-15) _WARN: dns: new_dns_packet (domain=tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com.multi.surbl.org. type=A class=IN) failed: a label in a domain name is longer than 63 bytes
Oct 30 12:02:46 zimbra amavis[9683]: (09683-15) _WARN: dns: new_dns_packet (domain=tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com.multi.uribl.com. type=A class=IN) failed: a label in a domain name is longer than 63 bytes
Oct 30 12:02:46 zimbra amavis[9683]: (09683-15) _WARN: dns: new_dns_packet (domain=tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com.dob.sibl.support-intelligence.net. type=A class=IN) failed: a label in a domain name is longer than 63 bytes
Oct 30 12:02:46 zimbra amavis[9683]: (09683-15) _WARN: dns: new_dns_packet (domain=tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com.dbl.spamhaus.org. type=A class=IN) failed: a label in a domain name is longer than 63 bytes
Oct 30 12:02:46 zimbra amavis[9683]: (09683-15) _WARN: dns: new_dns_packet (domain=tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com. type=NS class=IN) failed: a label in a domain name is longer than 63 bytes
Oct 30 12:02:46 zimbra amavis[9683]: (09683-15) _WARN: dns: new_dns_packet (domain=tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com. type=A class=IN) failed: a label in a domain name is longer than 63 bytes

Unfortunately, amavis does not show what IP these packets are coming, so I don't know what to block. Could someone suggest what I should do?

I'm running zimbra ZCS 8.7.11_GA_3865 on a CentOS 6.10 platform.

Thank you,

Roberto


User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2185
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: How to find source of attack on Amavis

Postby L. Mark Stone » Wed Oct 30, 2019 4:00 pm

That domain name is not a legal domain name (it's too long), so none of your right hand side uri checkers can parse it.

The good news is that none of your users will be able to click on it in the body of an email and have it connect anywhere.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 517
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: How to find source of attack on Amavis

Postby JDunphy » Wed Oct 30, 2019 4:19 pm

You might try this:

Code: Select all

%  grep -R tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com /opt/zimbra/data/amavisd/tmp/

If you get a hit, take a look at the email.txt file in the appropriate directory for patterns. You should have a few of them if you are seeing a lot of these messages.

The message comes from SA which runs in amavisd.

see /opt/zimbra/common/lib/perl5/Mail/SpamAssassin/DnsResolver.pm

Short of blocking the ip's as you are asking, the only other thing I can think of would be to guard those lookups with a meta rule in your sauser.cf so that labels longer than 63 don't attempt this lookup.

Jim

Return to “Administrators”

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 11 guests