On Wed, Oct 02, 2013 at 10:17:16AM -0500, List wrote:
> We are currently using dovecot for smtp auth, and due to an increase
> in spammers abusing smtp auth we setup dovecot to return an invalid
> login for user's that have been set to "disabled" in our
> provisioning system. This seemed to work for a while (preventing
> spammers that are using auth), but we are finding that a number of
> spammers are somehow keeping their smtp connection open after we
> have "disabled" smtp auth and continuing to send messages even
> though the authentication should be failing. We are not sure why
> this is the behavior or even what we should be looking for to
> determine how they are circumventing the authentication.
The full story is in your logs. Find a message sent by a disabled
user after the account was disabled. Find the associated stmpd(8)
connect and disconnect log entries. If a single connection continues
to generate messages long after the account is disabled, then indeed
your description is correct.
Regardless of whether you've disabled an account or not, you should
probably use a policy service that limits the message rate from a
a given SASL user account (returning a 421 error code when the rate
is exceeded). The policy service can also check whether the account
has been disabled. This check will not be cached (unlike the SASL
login status of the SMTP connection).
--
Viktor.
