On Tue, 19 Feb 2019, Mark Elkins via Exim-users wrote:
> I run a "relay" server for my e-mail clients - so they can send out > e-mail from any network they are connected to (so useful for travelling > laptops). This machine runs only on port 587, uses authentication (same > password as for their POP3/IMAP account) - etc etc. > > Some nefarious people are continuously trying to discover valid username > and password combos. Once they do - they flood that account with SPAM. > Much bounces back to my clients - whom after a few days tell me (delayed > due to embarrassment?) Often, these "scans" are being done in what looks > like quite a random way, from multiple IP addresses and reasonably > infrequently - say once a minute. Here's something else you might like to look into. When we see accounts get compromised, we often see a few "test mails" get sent out to some known addresses to test the viability of the account. In our case, we've set it up so that messages to these addresses get frozen on the mail queue, so the nefarious people don't get those messages. That doesn't necessarily stop them using the compromised account, but can flag an early warning to us. You might monitor your logfiles or whatever, perhaps arranging to freeze all mail from any account that sends to one of the probe addresses. So for your next accounts that get compromised, try looking at the regular mail flow and see if you can pick out the probe addresses at the start of the use after compromise. They are sometimes quite obvious, usually hotmail/yahoo/gmail, and often with strings like 'zz' and 'test' in them, but often they are just regular other compromised accounts and trickier to spot. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
