On 28/05/2014 14:02, Jasen Betts wrote:
On 2014-05-27, Paul Warren <[email protected]> wrote:
We're seeing a growing problem of spam being sent through our servers
using compromised authenticated SMTP credentials.
Does anyone have any suggestions for detecting and blocking, or at least
limiting the impact of, such attacks?
You could start compiling a list of spamtrap domains. (but you'll only
find them the hard way)
Can you elaborate on what you mean by this one?
We're currently considering rate-limiting, or trying to detect where a
single user is using multiple IPs in quick succession.
Multi ips could be valid if they used the same creds for their laptop,
phone, and document scanner. or if it's shared amongst a team.
True. Multiple IPs in quick succession (or even simultaneously) seem to
be a feature of the attacks that we've seen, but perhaps trying to block
based on this feature without false positives isn't feasible.
Paul
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
