Page 1 of 1

How to find source of attack on Amavis

Posted: Wed Oct 30, 2019 3:26 pm
by mrgreiner
Hi,

for the last 12 hours, Amavis has been trowing the following messages on zimbra.log:

Oct 30 12:02:46 zimbra amavis[9683]: (09683-15) _WARN: dns: new_dns_packet (domain=tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com.multi.surbl.org. type=A class=IN) failed: a label in a domain name is longer than 63 bytes
Oct 30 12:02:46 zimbra amavis[9683]: (09683-15) _WARN: dns: new_dns_packet (domain=tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com.multi.uribl.com. type=A class=IN) failed: a label in a domain name is longer than 63 bytes
Oct 30 12:02:46 zimbra amavis[9683]: (09683-15) _WARN: dns: new_dns_packet (domain=tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com.dob.sibl.support-intelligence.net. type=A class=IN) failed: a label in a domain name is longer than 63 bytes
Oct 30 12:02:46 zimbra amavis[9683]: (09683-15) _WARN: dns: new_dns_packet (domain=tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com.dbl.spamhaus.org. type=A class=IN) failed: a label in a domain name is longer than 63 bytes
Oct 30 12:02:46 zimbra amavis[9683]: (09683-15) _WARN: dns: new_dns_packet (domain=tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com. type=NS class=IN) failed: a label in a domain name is longer than 63 bytes
Oct 30 12:02:46 zimbra amavis[9683]: (09683-15) _WARN: dns: new_dns_packet (domain=tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com. type=A class=IN) failed: a label in a domain name is longer than 63 bytes

Unfortunately, amavis does not show what IP these packets are coming, so I don't know what to block. Could someone suggest what I should do?

I'm running zimbra ZCS 8.7.11_GA_3865 on a CentOS 6.10 platform.

Thank you,

Roberto

Re: How to find source of attack on Amavis

Posted: Wed Oct 30, 2019 4:00 pm
by L. Mark Stone
That domain name is not a legal domain name (it's too long), so none of your right hand side uri checkers can parse it.

The good news is that none of your users will be able to click on it in the body of an email and have it connect anywhere.

Hope that helps,
Mark

Re: How to find source of attack on Amavis

Posted: Wed Oct 30, 2019 4:19 pm
by JDunphy
You might try this:

Code: Select all

%  grep -R tigressssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssr7.com /opt/zimbra/data/amavisd/tmp/

If you get a hit, take a look at the email.txt file in the appropriate directory for patterns. You should have a few of them if you are seeing a lot of these messages.

The message comes from SA which runs in amavisd.

see /opt/zimbra/common/lib/perl5/Mail/SpamAssassin/DnsResolver.pm

Short of blocking the ip's as you are asking, the only other thing I can think of would be to guard those lookups with a meta rule in your sauser.cf so that labels longer than 63 don't attempt this lookup.

Jim