El 15/04/10 12:41, ram escribió:
The points mentioned should help you especially ratelimits , and FBL's
Are you planning to do outgoing scanning.
Hi Ram. I believe ratelimits and FBLs can help, but just partially. FBLs
are of great help, but they work only after much harm has been done. For
instance, right now we use FBLs to get warnings of this kind of problem
(besides checking the logs, of course, which does not happen 24
hours/day). When we got our first warning we had more than 20k spam
messages in the queue. OTOH, ratelimiting could work well. However, we
have several customers with internal/intranet mail servers in their own
facilities (with residnetial connections and dynamic IPs) who use our
mail servers as authenticated SMTP relays to send external mail to the
Internet, so limiting the number of outbound emails can be a problem for us.
The way I think this could be solved is by having a program that:
1.- Checks the logs for authenticated smtp usage and saves
smtp_authenticated_user, originating IPs, and country, which is
dicovered using ip geolocation.
2.- During the following minutes, if IP from same authenticated user is
different, then geolocate new IP, and if country is also different then
set it as possible credential theft.
3.- If Step 2 repeats few times in few minutes (or even worse, if a
third country is detected), then we sure have stolen credentials.
4.- Add smtp_authenticated_user to a blacklist, could add a simple
header_checks entry to reject messages with smtp_authenticated_user
header. That way account is still active and able to receive messages.
However, outbound messaging is disabled.
5.- We could use a granulated scoring system. For instance, we are in
Spain, and 99.9% of our customers are in Spain. So, even if more
different IPs are used in short period of times, but all originate in
Spain, it's fair to assume this person may be having connectivity
problems or several devices connected (computer, 3g phone, pda) and
running at the same time, so we cut them some slack :)
We are already brainstorming this. However, were are good sysadmins but
I cannot say the same about complex programming. We'll see what happens.
Regards,
Ignacio
