On 6 Jan 2014 17:41, <post...@pupat-ghestem.net> wrote: > > On 1/6/2014 5:32 PM, Mike McGinn wrote: >> >> On Monday, January 06, 2014 10:12:38 Roland Plüss wrote: >>> >>> A couple of days ago my mail server got attacked by a spammer. As it >>> looks like he managed to compromise the password of one of the users on >>> the system and SASL authenticated using the account to send spam. I >>> blocked the attacking IP and changed the password of the affected user. >>> Still the spammer managed to send out quite a lot of mails because due >>> to permit_sasl_authenticated letting him pass by. Now to deal with this >>> situation in the future I would like to automatically lock down an >>> account if an unusual amount of mails are sent like 60 per minute or so. >>> I could though not figure out if postfix is able to do this or how to >>> get this done. Any ideas? >> >> Welcome to the club. >> I had an account get compromised on Christmas Day and got my server >> blacklisted. Changed the password. >> >> Now in my dovecot logs I see login for this account from various IP addresses >> in Russia and the former Soviet republics. These seem to be from some sort of >> botnet as they come in bursts from different IP addresses. I have been adding >> the CIDRs for these networks to my firewall as they show up. >> >> I am not a mail guy, but I find knowing how to use a firewall comes in handy. >> > I use fail2ban to block bots trying to guess passwords. Any IP that enters a wrong password more than a certain number of time is banned for 10 minutes. Any such IP that gets banned too much this way gets banned for a week. > > I get attempts from pretty much all over the world (US, Europe, Russia, China, India, ....)
Lately I've seen botnets get wise to this. I have one from Comcast that makes one attempt every 35 minutes. Which means it never gets blocked. But it will also take him millions of years to get lucky... Simon
