On Thu, Aug 8, 2013 at 7:03 AM, Marcin Gryszkalis <[email protected]> wrote: >> Implement this at first: https://github.com/Exim/exim/wiki/BlockCracking > Thanks, I'll look at this tonight.
The exim configuration above will get rid of nearly all of your issues. >>> After detecting unusual rate of mails from one account >> How much exactly and per what time period do you consider unusual? > I'm doing simple statistics, ie. I keep counters in database (aggregated for > day and account): > mails, traffic size and recipients number. So I can see that this particular > user sends for > example average of 10 mails per day (averaged over 30 days). If I see 500% > increase in number > of mails sent then it means that something's wrong. > I also have some static thresholds (like 1000 recipients/day) for cases when > above statistics fail. Behavior of the abuse source indicates what's ultimately doing it 1) Multiple IP's send with SMTP Auth, more than N ip addresses per $INTERVAL. Typical of a botnet. How did the botnet get the user/pass? Could be trojan on his windows machine. Could be your pop/imap servers don't detect and/or block brute force. Could be your smtp auth servers don't detect and/or block brute force. (The URL authored by Lena will solve MUCH of this for you). 2) One single IP sends with SMTP Auth, more than N messages per $INTERVAL. Typical of a spamware trojan on the customer's computer. 2b) One single IP sends with SMTP Auth, more than N messages per connection. >> Did you ever see a botnet to use SMTP and IMAP/POP3 for the same account >> simultaneously? For what? No, not noticed, but... > I've seen bots gathering valid recipients from victim's mailbox (this is > what I guess - they just > checked headers for all emails). I never looked for this particular signal. I'll pay attention in the future. >> But I'm interested how many messages this will in fact drop. >> If you are really sure that such botnet does in fact use >> multiple simultaneous connections authenticated with the same account >> then you can add to the code linked above: Here is a typical botnet abused account for me: 2013-08-01 -> mailbox [email protected]: (13) 109.162.53.114 => 1 113.179.7.245 => 1 178.127.206.42 => 1 178.172.228.184 => 1 178.45.98.44 => 1 212.76.21.55 => 1 213.111.169.21 => 1 37.212.92.153 => 1 37.45.134.250 => 1 37.45.202.213 => 1 46.28.69.81 => 1 77.121.250.77 => 1 84.238.189.212 => 1 Last connection from 77.121.250.77 at 11:59:03 > I'm sure, recently I've seen something like 20+ simultaneous connection > attempts from different IPs. > Even worse - it looked a bit similar to ssh-dictionary-attack bots: every > bot/ip was used to send > no more than 1-3 mails. I see that too. They keep the number of emails per session down so that it doesn't trip other types of spam detection (i.e. 2b above). ...Todd -- The total budget at all receivers for solving senders' problems is $0. If you want them to accept your mail and manage it the way you want, send it the way the spec says to. --John Levine -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
