I have created a working solution... well, not the best but better
than nothing.. For anyone that is running plesk you can email me for
the script.
cron runs the script once per minute.. If any user sends more than X
emails within the last Y seconds his password gets changed locking him out.
The bad is that since cron can only run once per minute, your spammer
could get a full minute of spamming done before being stopped. It
scans the maillog once per minute and uses the spamdyke line to see who
the auth user is and notes the time. If it decides the user should be
blocked, it updates the password in the psa database (Plesk) and stops
the user instantly.
On 12/10/2013 1:05 PM, Sam Clippinger wrote:
This is definitely a problem! I have to deal with it at least once
per week myself.
In the current version, there's almost nothing spamdyke can do to
prevent this -- once the user is authenticated, they can send as much
email as they want. In the upcoming version, I've added a filter to
compare the sender address to the authentication username and block
messages if they don't match or if the domain doesn't match
(configurable). That will stop some of these incidents, especially
when the spammer authenticates and sends from a remote server instead
of the compromised PC -- they seem to use different sender addresses
when that happens. When they send from the infected PC, they seem to
use the same address, so the new filter won't be able to stop it.
Someday I'd like to add ratelimiting to spamdyke so it can block these
kinds of problems once and for all. Actually, I've been thinking
about adding a generic filter framework to spamdyke, so it can call
out to an external program and get a pass/fail response. That would
allow lots of new custom filters to be easily added without having to
update spamdyke itself (rate limits, size limits, database-backed
graylisting, etc). As long as the custom scripts were executable,
they wouldn't have to be written in C. It would also allow
SpamAssassin and ClamAV to be called during mail delivery, which is
something I've wanted for a long time... :)
-- Sam Clippinger
On Dec 10, 2013, at 11:21 AM, ron wrote:
Such a solution would be nice.
I can empathize with you as it happened to me about 8 months ago and
it took me several hours to figure how to stop it, although they
weren't being created as fast as yours. Scanned all PC's with Malware
Bytes and didn't find any process that could be definitely identified
as the culprit, but removed anything suspect.
Ron
On 12/10/2013 9:35 AM, Les Fenison wrote:
I had one of my email users accounts compromised this morning and
have been thinking of what could have prevented hundreds of
thousands of spams from going out all within a 2 minute window.
Is there any way possible to limit the number of emails that a
single authenticated user can send within a specified period of time?
Fortunately I was awake and an alarm alerted me to an enormous mail
queue and I was able to quickly change the compromised password.
But not until over 400,000 messages got queued. I dumped the queue
immediately but time will tell how many blacklists my IP ends up on
because of this.
--
Les Fenison
www.DeltaTechnicalServices.com <https://www.deltatechnicalservices.com/>
l...@deltatechnicalservices.com
(503) 610-8747
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org <mailto:spamdyke-users@spamdyke.org>
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
--
Les Fenison
www.DeltaTechnicalServices.com <https://www.deltatechnicalservices.com>
l...@deltatechnicalservices.com
(503) 610-8747
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
