2
Anyone else's SmarterMail server(s) under attack?
Question asked by Michael Muller - 11/22/2020 at 8:14 AM
Unanswered
I'm running SM Build 7523 (Aug 6, 2020) on a Windows 2008 Server with 32GB RAM, four processors and two RAID5 2TB drives for about 450 clients. Plenty of speed and space. However, the server has been crashing for the past couple days, caused by memory usage going through the roof (90% and higher), and has been super-sluggish the past week. Looking at the logs I can see we're under DOS and other brute force attacks from Russia and Poland. Mostly Russia. I've added three /24 subnets to my blacklist, as well as a few others, but that has only been a temporary fix.

So, is anyone else experiencing this, and if so what did you do to ameliorate the problem.

Here's my Settings > Security > IDS Rules. Any thoughts or suggestions?


Here's my Blacklist:

---
Montague WebWorks
Powered by RocketFusion

22 Replies

Reply to Thread
0
Michael Muller Replied
Here's my Reports > Security page charts for the past week:
---
Montague WebWorks
Powered by RocketFusion
0
Chris Daley Replied
We have observed an increase in attempts from Russia over the past week however this has not affected performance. We don't use a SMTP DoS rule though, only password brute force for smtp (time frame = 20mins, threshold = 5, block time = 1440).

A number of customers have received targeted smartermail spam emails in the past week as well, basically telling them their pop/imap settings need updating to keep using smartermail. So someone has identified the domain uses SM for email.
0
Michael Muller Replied
Looking for the command line script to restart SM if memory usage goes above 80%. Could be a quick temporary fix until I figure out a better solution.
---
Montague WebWorks
Powered by RocketFusion
0
Chris Daley Replied
Have you tried upgrading? we are currently on 7611, no issues that I'm aware of (not using exchange functionality though)
0
Ron Raley Replied
We block for 24 hours if SMTP DOS is triggered.

Your settings only keep them away for 2 hours. They may be coming right back and hitting your server over and over.

Ron
0
echoDreamz Replied
Same, we block for 24 hours. We always have 1000+ blocked IPs in our IDS section (mainly on SMTP).
0
Michael Muller Replied
Ah.
---
Montague WebWorks
Powered by RocketFusion
0
Montague WebWorks Replied
I've got lots of blocks, and memory still over-consumed...


Mik MullerMontague WebWorks
0
Montague WebWorks Replied
Mik MullerMontague WebWorks
0
Montague WebWorks Replied
Memory up to 85% and server is now unresponsive, again. I can't get to "Services" and clicking "End Process" does nothing. Just rebooted two hours ago.

Is there a way to limit the amount of RAM SM uses, so the OS can still operate if SM is maxed?
Mik MullerMontague WebWorks
2
Ron Raley Replied
I would recommend upgrading to 7619. The community indicates that this is a very stable version.

If the issue still exists afterwards, let SmarterTools have a look at it. They have diagnostic tools to view exactly what mailservice.exe is doing.

Ron
1
Montague WebWorks Replied
Turns out there were some corrupted json and grp files, since Friday morning. This happened around the same time we started to get pummeled by hackers from Russia and China, so, a bit of a goose chase. In any event, we are restoring those few files and are now back up.
Mik MullerMontague WebWorks
0
Montague WebWorks Replied
Still having issues. Service went down yesterday and had to be restarted. Also, when sending emails in ThunderBird, it fails to move the file according to the mail filters (some clients have their own folder/mailbox). In fact I simply can't move emails to other folders anymore.
Mik MullerMontague WebWorks
1
Jade D Replied
Sorry to change the topic, but how is it that you guys think its ok to run unsupported versions of Windows Server OS on production systems?

I presume that your clients are paying for access to a system or service and part of those fees include the maintenance of the server and it's OS?

By running a server with anything less than Windows Server 2012 R2, you are exposing your clients to unnecessary risk and numerous exploits. IMO this amounts to negligence.

I'd be more concerned about those OS's being hacked than Russians running a dictionary attack on exposed services.

teamviewer_service.exe....
0
Ron Raley Replied
Microsoft provides Extended Security Updates to Windows Server 2008 and 2008 R2 for 3 additional years beyond the end-of-support date.

Ron
0
Jade D Replied
Have you seen how quickly a Windows Server 2008 / R2 server gets compromised? 
We ran a test and installed a Windows 2008 R2 server fresh, and within 15 minutes of being online and accessible, it was compromised.
A client of ours who refused to upgrade his server was hacked last month.

Running Windows Server 2008 / R2 is negligent and irresponsible - irrespective if MS have made a special case for it.



4
Ron Raley Replied
"Negligent" and "irresponsible" are a bit harsh. He came here for help.

Ron
0
Chinmay Khandekar Replied
We have also seen increased attack on our SmarterMail Windows 2016 recently migrated from Windows 2008.

The attacks are targeted for RDPs primarily if they miss that then its the Mail Server as we have noticed. Just make sure you have your windows updated no matter what, don't avoid it at any costs. Secure your RDP restrict to IPs

There are some nasty motherboard vulnerability present still. Make sure your hardware firmware (BIOS, RAID Drivers and NIC) are updated every once a year.

We are not using SmartMail Blocks but we are using Windows Firewall for this, that seems effective with lessor memory consumption.
0
Montague WebWorks Replied
We have a Windows upgrade planned for this server, and have RDP shut down for all IPs but two at the firewall. The upgrade has been delayed because we're planning to also virtualize the server during the upgrade, which of course adds a wrinkle. All other servers under our control are virtualized and running on 2016. Thanks for your concern.
Mik MullerMontague WebWorks
1
Ron Raley Replied
Mik, I would recommend not spending too much time on this particular issue and instead put a rush on the upgrade. Just my thought.

Ron
0
Montague WebWorks Replied
Underway
Mik MullerMontague WebWorks
0
Robert Mathias Replied
We've had this problem for years. We use a hardware firewall set to block all IPs from the Russian Federation, China, Islamic Republic of Iran, Democratic People's Republic of Korea, Vietnam and Ukrane. We did once have to remove Ukrane from the list for a while when some clients couldn't access their email when visiting there.

Reply to Thread