On Tue, May 27, 2014 at 11:03 AM, Paul Warren <[email protected]> wrote: > We're seeing a growing problem of spam being sent through our servers using > compromised authenticated SMTP credentials. > We suspect that the credentials are being stolen using malware on the users' > computers (over which we have no control).
Or the user/pass is weak, or the user/pass is the same as some other system that it was obtained from. It's a very common problem. > Obviously we block the accounts as quickly as possible once we become aware > of the problem, but typically by this point we'll be on multiple blacklists. Right, the trick is to automate the detection. Sounds easy, a bit harder in practice. Another poster I feel was extremely insightful with the labels of fast and slow detection. > Does anyone have any suggestions for detecting and blocking, or at least > limiting the impact of, such attacks? > We're currently considering rate-limiting, or trying to detect where a > single user is using multiple IPs in quick succession. Here are a few areas that I've had to directly address when dealing with abuse: 1. Single user coming from multiple IP's to auth - I wrote something which tailed the logs, extracts SMTP Auth logins, and puts the IP's an account logs in from into memcache. When the number of IP's exceeds a threshhold. change the account's password (allows them to still receive email, but it stops them from logging in). Beware that mobile phones are the wildcard here. Lots of mobile phone systems appear to change IP's as it moves from tower to tower, so you have to identify those ranges which can be counted as "one" access. 2. Single user sending out lots of emails - Using ratelimiting to control. Have limits set per hour and per 24 hour period. Anytime we find a customer hitting these limits, we strongly advise them to use the CRM system, which provides much better feedback/tracking, bounce detection, unsubscribe, etc, as compared to just sending out via SMTP Auth. 3. Single user sending out lots of emails but using a bogus envelope from - We had a problem a while back where a lot of email was seeming to originate from *@aol.com. I had to specifically block that envelope sender for smtp auth accounts (and did the same for *@yahoo and *@gmail). 4. Single user sending out reasonable amount of email, but a large percentage of them are rejected - Have to have the smarts to determine that a rejection is a bounce due to invalid/non-existent user, as opposed to rejected because it scored as spam, or recipient hates the sender and added them to a blacklist, etc. Detect invalid recipients and provide customer with the list, a warning, and instruct them to remove invalid users. 5. Lena's cracked account blocking - FREAKING AWESOME ...Todd -- The total budget at all receivers for solving senders' problems is $0. If you want them to accept your mail and manage it the way you want, send it the way the spec says to. --John Levine -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
