On 2014-05-27, Paul Warren <[email protected]> wrote: > We're seeing a growing problem of spam being sent through our servers > using compromised authenticated SMTP credentials. > > We suspect that the credentials are being stolen using malware on the > users' computers (over which we have no control). > > Obviously we block the accounts as quickly as possible once we become > aware of the problem, but typically by this point we'll be on multiple > blacklists. > > Does anyone have any suggestions for detecting and blocking, or at least > limiting the impact of, such attacks?
Some sort of rate-limit on the credential. You could start compiling a list of spamtrap domains. (but you'll only find them the hard way) > We're currently considering rate-limiting, or trying to detect where a > single user is using multiple IPs in quick succession. Multi ips could be valid if they used the same creds for their laptop, phone, and document scanner. or if it's shared amongst a team. -- umop apisdn -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
