On 28/05/2014 14:31, Todd Lyons wrote:
On Tue, May 27, 2014 at 11:03 AM, Paul Warren <[email protected]> wrote:
We're seeing a growing problem of spam being sent through our servers using
compromised authenticated SMTP credentials.
We suspect that the credentials are being stolen using malware on the users'
computers (over which we have no control).
Or the user/pass is weak, or the user/pass is the same as some other
system that it was obtained from. It's a very common problem.
True, although we've got no evidence of brute forcing, and I'd be
slightly surprised if the miscreants would go the effort of locating our
mail server details based on credentials obtained from elsewhere (I
can't see how that part could be automated).
Here are a few areas that I've had to directly address when dealing with abuse:
1. Single user coming from multiple IP's to auth - I wrote something
which tailed the logs, extracts SMTP Auth logins, and puts the IP's an
account logs in from into memcache. When the number of IP's exceeds a
threshhold. change the account's password (allows them to still
receive email, but it stops them from logging in).
OOI how does that allow them to receive email? Or do you mean that you
queue it?
Beware that mobile
phones are the wildcard here. Lots of mobile phone systems appear to
change IP's as it moves from tower to tower, so you have to identify
those ranges which can be counted as "one" access.
That's worth knowing. We've got a one-liner which gives us volume by IP
and account ID which is good at showing us problems, but it's not yet
automatically doing anything with it.
Thanks for the other suggestions too - plenty to think about.
Paul
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
