On 2012-11-30, Paul Warren <[email protected]> wrote: > On 28/05/2014 14:02, Jasen Betts wrote: >> On 2014-05-27, Paul Warren <[email protected]> wrote: >>> We're seeing a growing problem of spam being sent through our servers >>> using compromised authenticated SMTP credentials. > >>> Does anyone have any suggestions for detecting and blocking, or at least >>> limiting the impact of, such attacks? >> >> You could start compiling a list of spamtrap domains. (but you'll only >> find them the hard way) > > Can you elaborate on what you mean by this one?
eg: (note: all the names are made up) suppose you get listed on bl.example.com, you find the first message in the logs announcing that and then look at the previos deliveies to try to find the one that triggered it, (or sometimes the URL in the denial message will give you enough info) suppose you find a message to [email protected] and investigate the mx ans discover that it announces itself as a spamtrap, that's a fiarly strong indication that there are no usefule email addresses on that domain. so you block that domain (or that mx, or the ip address of that mx) and organise something to stop anyone who tries to send to it from sending any more email. I do this in a no-verify router so that I don't leak the names of the spamtraps -- umop apisdn -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
