On 2013-08-08, [email protected] <[email protected]> wrote: >> From: Marcin Gryszkalis > >> I wonder if it's possible to disconnect all active sessions for given >> authenticated user. > >> It would be used to close sessions used by accounts stolen by spammers. > > Do you already have compromised accounts blocked when automatically detected? > If no then automatic blocking of new RCPT commands for blocked account > (and dropping all already accepted recipients of the spam message which > was the last straw which triggered the detector) is better than nothing, > and I don't see much difference from killing connections. > Implement this at first: https://github.com/Exim/exim/wiki/BlockCracking > After it triggers, tell us whether it in fact did its job > and how much unfrozen spams via that compromised account in the queue > did you see. You'll see frozen spam, but I'm interested in > quantity of unfrozen. > >> After detecting unusual rate of mails from one account > > How much exactly and per what time period do you consider unusual? > >> I lock it in database, freeze >> all suspiciousmails in queue, send alert to postmaster > > The code linked above does all this. > >> and close all imap/pop3 >> sessions (with `doveadm kick user@`) > > Did you ever see a botnet to use SMTP and IMAP/POP3 for the same account > simultaneously? For what?
I've seen them use dictionary attacks against POP3 to get passwords for SMTP-AUTH (or presumably for SMTP-after-POP3) -- ⚂⚃ 100% natural -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
