Hi Paul, I’m dealing with this on a daily basis :( My solution (not the perfect one !) is to allow only auth on TLS/submission (port 587) from outside our IP range for relay. After only a few days, the problem came back. I’ve applied a rate limit to 2 email per minute for relay request outside our IP range.
I still monitor compromised smtp account so I can reset the customer password. But I’m done with playing with outbound smtp server while requesting to be de-listed from blacklist ! Hope this helps ... Le 28 mai 2014 à 05:03, Paul Warren <[email protected]> a écrit : > We're seeing a growing problem of spam being sent through our servers using > compromised authenticated SMTP credentials. > > We suspect that the credentials are being stolen using malware on the users' > computers (over which we have no control). > > Obviously we block the accounts as quickly as possible once we become aware > of the problem, but typically by this point we'll be on multiple blacklists. > > Does anyone have any suggestions for detecting and blocking, or at least > limiting the impact of, such attacks? > > We're currently considering rate-limiting, or trying to detect where a single > user is using multiple IPs in quick succession. > > thanks, > > Paul > > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ Bertrand Cherrier, Administrateur Systèmes [email protected] www.mls.nc @micrologicnc Sur facebook Téléphone: 24 99 24 VoIP: 65 24 99 24 Service Clientèle: 36 67 76 (58F/min) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
