> Cassidy Larson: >> We had an incident today where we had a user with a compromised >> machine. Their email/pass made it back to some botnet which proceeded >> to SASL auth to our mail servers and send numerous spam messages from >> many different hosts. The spamming hosts didnt trigger our >> smtpd_client_recipient_rate_limit setting, because of the many >> different hosts (all with the same SASL user authenticated) that they >> used.
I'm little bit amazing to hear about the real-existing AUTHing bot. I think we must prepare for SPAM originating bots, but relayed through legitimate (compared to direct from bot PCs ) MTAs. > Maybe a good idea. This would hook into the AUTH command and after > successful AUTH, do an anvil query for the sasl_username value. > > It's not a lot of code, but I don't have a lot of time, either. > We will have time to clean-up bots ;-p -- Tomo.
