Control over account creation (this is more a free mailbox kind of thing) Risk based analysis at login time based on the available signals Risk based analysis of the overall connection Spam analysis of the sent mail
All of which needs to feed into each other. For the larger providers, this is an ongoing workload for an engineering group. At login time, the signals are weak, it's basically the user/password/ip ... and if you're lucky, some small amount of uniqueness (do they ask for capability first?). geohop is of course the first line of defense there, and the ever popular "imap/pop before smtp". For many login types, you have the actual password here given the logging in client, and so you can also evaluate that for strength, and have stricter analysis for weak passwords. It may also be useful to spend some effort on "have I been pawned" or other sites to get lists of your users (and maybe their passwords) that are known, and force those users to reset their password. You will have people upset that they have to change their password, even though it's circulating on the web and actively being abused. IP reputation is another thing, it's utility varies. One problem is that there's really terrible feedback for denying logins in these protocols, a lot of clients don't display the error message, they'll just say "bad password". You need to make sure the user's can see why their logins are disabled in the admin pages on your site. The various client-id proposals would have been useful if they became popular, it's basically an extra nonce at login that's unique to a single client configuration. If you have something like that, you can do better with geohop (ie, their phone polls imap when they travel somewhere else, and it has CID, so you trust it, and trust the hop). oauth is what the bigger folks are pushing towards, but client support for that is hard... I don't know how easy it is to get on the oauth lists for your most popular clients. Analysis of the connection, individual clients have very obvious and specific sets of requests they make, you can fingerprint them. You can also check for things "good" clients tend to do, like store sent messages in the sent folder. This is easiest with IMAP than with pop or smtp, those are more trivial. That said, most clients generate email in a particular way as well, fingerprinting that may be useful. And of course, if the account is sending spam, it needs to be limited. Generally limiting most accounts to a small number of messages/day or hour is a first line. Spam is only the most obvious issue with these hijackings, you're also exposing customer data to a random person, who might go through the messages for specific content, or use the access to hijack other online accounts that allow password reset via email, or delete their data. Preventing the hijacking should be as important as preventing the spamming. Brandon On Tue, Sep 21, 2021 at 9:29 AM Alessio Cecchi via mailop <[email protected]> wrote: > Hi, > > we are an email hosting provider, and as you know many users use weak > passwords, or have trojan on their PC that stolen their password that are > used to sent spam or doing some kinds of fraud. > > We already have a "script" that checks, from log files, the country of the > IP address and "do something" to detect if is an unusual login. But is not > really sufficient. > > For "do something" I means: > > - too many logins from different country > - too many fast login > > So we are always looking for a system/software/service/script to detect > login to POP IMAP or SMTP not made by the user. > > I have also test the AWS SageMaker IP Insights service but without success. > > Have someone experienced about these problems? > Thanks > > -- > Alessio Cecchi > Postmaster @ http://www.qboxmail.ithttps://www.linkedin.com/in/alessice > > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
