On 2013-08-08 14:19, [email protected] wrote:
It would be used to close sessions used by accounts stolen by
spammers.
Do you already have compromised accounts blocked when automatically
detected?
yes
If no then automatic blocking of new RCPT commands for blocked account
(and dropping all already accepted recipients of the spam message which
was the last straw which triggered the detector) is better than
nothing,
and I don't see much difference from killing connections.
I think I may see difference (see below)
Implement this at first:
https://github.com/Exim/exim/wiki/BlockCracking
Thanks, I'll look at this tonight.
After detecting unusual rate of mails from one account
How much exactly and per what time period do you consider unusual?
I'm doing simple statistics, ie. I keep counters in database (aggregated
for day and account):
mails, traffic size and recipients number. So I can see that this
particular user sends for
example average of 10 mails per day (averaged over 30 days). If I see
500% increase in number
of mails sent then it means that something's wrong.
I also have some static thresholds (like 1000 recipients/day) for cases
when above statistics fail.
Did you ever see a botnet to use SMTP and IMAP/POP3 for the same
account
simultaneously? For what?
I've seen bots gathering valid recipients from victim's mailbox (this is
what I guess - they just
checked headers for all emails).
But I'm interested how many messages this will in fact drop.
If you are really sure that such botnet does in fact use
multiple simultaneous connections authenticated with the same account
then you can add to the code linked above:
I'm sure, recently I've seen something like 20+ simultaneous connection
attempts from different IPs.
Even worse - it looked a bit similar to ssh-dictionary-attack bots:
every bot/ip was used to send
no more than 1-3 mails.
best regards
--
Marcin Gryszkalis, PGP 0x9F183FA3
jabber jid:[email protected], gg:2532994
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
