On 03/Mar/11 04:20, Mark Constable wrote:
> We just had 2 accounts compromised and used for sending out a ton of
> spam, one I found because an irate recipient sent back a complaint
> which included the headers and the AUTH: LOGIN details.
That only has the user's name, not the password. It is in every mail
one sends... Was the password cracked using several attempts? (From
several IPs?)
> I've already blocked the IP at this stage but the spammer can just
> hop on another machine with a different IP and start sending to the
> same compromised account which I can only guess at.
IMHO, one should block the user in this case. I would reset her/his
password, larger sites may engineer some automated mechanism, e.g.
using SMS and web forms.
> FWIW for future googling of the list archives, I found this useful...
>
> alias failedlogin='grep '\''LOGIN FAILED, user='\'' /var/log/mail/mail.log |
> awk -F'\''user='\'' '\''{print $2}'\'' | awk -F, '\''{print $1}'\'' | sort |
> uniq -c | sort -nr'
I use /LOGIN FAILED, user=\S* ip=\[<HOST>]/ but also
/courieresmtpd: error,relay=<HOST>,msg="535 Authentication failed."/
However, it is still difficult to match such entries against a user-id.
How about an additional query to be issued when the password is wrong,
say some
MYSQL_FAILEDAUTH_CLAUSE UPDATE user SET failures = failures + 1 WHERE address =
'$(local_part)@$(domain)'
sort of thing? It would then be trivial to limit login to users having
a decent number of failures, and to reset failures on the CHPASS clause...
--
See
http://www.mail-archive.com/courier-users@lists.sourceforge.net/msg35526.html
------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
