P.S. > From: Todd Lyons
> > How to block stolen passwords automatically: > > https://github.com/Exim/exim/wiki/BlockCracking > > Lena, one corner case of this is when a legitimate user has one device > with the wrong password. Picture a typical small office where two or > three people using a small NAT router to connect to their business > class DSL. One person changes their password and they fix it on their > iphone because they have to leave to go do something. They leave. > Their outlook is still open on their computer and someone comes by to > check something in the email. Outlook doesn't seem to be working > right so they hit the Send/Receive button multiple times. On the exim > server, the limit for bad user/pass combination gets hit and the ip > gets added to the blacklist. Now the whole office is blocked from > sending email. > > I'd like to ponder if there is a way to detect that the same incorrect > password is being sent over and over (indicating a misconfigured > device) as opposed to random passwords (indicating brute forcing). To > my knowledge the actual password nor a hash of it is not made > available anywhere except to the authenticator section. Can you dream > up any sequence that could be used to capture a hash of that password, > store it, and then use it to compare subsequent attempts? OK, untested changes for my code https://github.com/Exim/exim/wiki/BlockCracking : 1. Replacement for "accept" at the end of acl_check_auth: accept set acl_c_authhash = ${if match{$smtp_command_argument}\ {\N(?i)^(?:plain|login) (.+)$\N}{${nhash_1000:$1}}} 2. Replacement for entire acl_check_quit: warn condition = ${if def:authentication_failed} condition = $authentication_failed condition = ${if def:acl_c_authhash} ratelimit = 7 / 5m / strict / $sender_host_address-$acl_c_authhash warn condition = ${if def:authentication_failed} condition = $authentication_failed condition = ${if def:acl_c_authhash} set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}} warn condition = ${if def:authentication_failed} condition = $authentication_failed logwrite = :reject: quit after authentication failed: \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} ratelimit = 7 / 5m / strict / per_conn condition = ${if or{\ {!def:acl_c_authhash}\ {<{$acl_c_hashrate}{2}}\ }} continue = ${run{SHELL -c "echo $sender_host_address \ >>$spool_directory/blocked_IPs; \ \N{\N echo Subject: $sender_host_address blocked; echo; echo \ for bruteforce auth cracking attempt.; \ \N}\N | EXIMBINARY WARNTO"}} > From: Cyborg > That will block most customers, who try to send valid newsletters :) > 10% or more of the address database of those newslettersenders is > invalid and old addresses. Do those customers/senders ignore bounces? -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
