I had successfully proved that the concept (that migrating a php front-ended, MySQL back-ended website hosted with a commercial webhost, based in Arizona, to my NAS here in the UK) was sound.
And I had documented the steps and processes that need to be gone through, in order to make it all happen.
I had signed off with a light-hearted statement about learning to migrate the associated mail accounts after a cup of tea.
Yeah, well I’m struggling with the mail thing.
But while I struggle, here’s a thing.
I am hyperanal about security, and have a number of default characteristics set up, on my NAS, including automatic IP blacklisting after x successful attempts to log on (where x is a number I’m not disclosing), and instant SMS alerts of various events to my phone.
So, a few days ago I enabled my NASs mailserver and began configuring it.
Within 24 hours of enabling mailserver, I started getting attempted penetration alerts on the mailserver.
My alerts look like this:
- The IP address [177.99.206.58] experienced x failed attempts when attempting to log into Mail Server running, and was blocked at Sun Sep 22 08:04:34 2013
- The IP address [200.198.68.123] experienced x failed attempts when attempting to log into Mail Server running, and was blocked at Sun Sep 22 09:04:34 2013
- The IP address [202.162.24.36] experienced x failed attempts when attempting to log into Mail Server running, and was blocked at Sun Sep 22 10:04:34 2013
- The IP address [210.212.28.180] experienced x failed attempts when attempting to log into Mail Server running, and was blocked at Sun Sep 22 11:04:34 2013
- The 1st IP is registered in Brasil
- The 2nd IPĀ is regsitered in Brasil
- The 3rd IP is registered in Malaysia
- The 4th IP is registered in India
My question is, given that these penetration attempts have targeted the mailserver (not the NAS root), how the flipping flip have they identified that I had begun to configure a mailserver?
I hadn’t enabled any MX record
I hadn’t registered the mailserver anywhere on the web
I hadn’t even completed the mailserver config
I am, frankly, puzzled as to how these bots (I’m assuming they are robots, not real people) have latched on to what I was doing.
I can guess what they’re after. I am assuming the bots are trying to establish a backdoor on my mailserver, from which they can spam the world in the name of any accounts that might have been set up there.
But how did they know?
Port scanning for open relays (sweeping ip ranges) is fairly common – and it’s not so they can impersonate you, it’s just so they have a way of firing mails at the world.
It’s unavoidable ip traffic (assuming you aren’t taking mail in only from a known upstream relay), but make sure your mail server is nailed down in terms of the domains it is permitted to relay for.