On Tue, 27 May 2014, Paul Warren wrote: > From: Paul Warren <[email protected]> > To: [email protected] > Date: Tue, 27 May 2014 19:03:23 > Subject: [exim] Dealing with Authenticated SMTP spam > > We're seeing a growing problem of spam being sent through our > servers using compromised authenticated SMTP credentials.
... > Does anyone have any suggestions for detecting and blocking, or at > least limiting the impact of, such attacks? > > We're currently considering rate-limiting, or trying to detect > where a single user is using multiple IPs in quick succession. There's stuff in the Exim Wiki on precisely this subject. Have a look at Lena's suggested solution: https://github.com/Exim/exim/wiki/BlockCracking which may give you a few ideas even if it isn't precisely what's required. I've never had to use anything like this myself so the above is just about all I know on the subject. But I get the distict impression that the above is a well-crafted solution. At the organisation where I used to work, we saw compromised accounts sending spam via the webmail server. Probably being script driven. So you may get a few hints from your webmail server if you run one. That server will see the connecting IP's, whereas exim may only see connections from the webmail server. Webmail server logs may be of interest. -- Dennis Davis <[email protected]> -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
