I need to be able to relay outbound for this customer of ours as a service
we provide and I need to be able to block compromised accounts which I have
been successful at for years until this new spam technique showed up a few
weeks ago.
I do have a way to detect this Bcc sending _after the fact_ and put in a
DISCARD for the sending address to stop the spam but some have already
gotten out. When Bcc'ing 300 at a time, even a few getting out will create
a lot of damage to our IP's reputation.
I need a way to detect the number of Bcc's in the headers to block them
based on other characteristics. The problem is, all of the other
characteristics are perfectly legit ways of sending mail without knowing
the number of Bcc'd recipients. It's very common to send an email Bcc'ing
a lot of recipients and putting your own address in the To: field.
Spamassassin only sees the To: header as 1 recipient when there could be
300 Bcc'd.
On Wed, Feb 4, 2015 at 7:57 AM, Nicolas HAHN <ha...@erios.org> wrote:
> - Have you identified the e-mail server having those compromised accounts?
> If yes forbid this server to relay using your Postfix servers. If you don't
> want or cannot do it...
> - Then have you identified what e-mail accounts exactly are compromised?
> If yes temporarily close or disabled those accounts on the sending server.
> If you don't want or cannot do it...
> - And if sending accounts are identified, then instructs your Postfix
> servers to reject all what is sent through them by those compromised sender
> e-mail addresses...
>
> Preserve your reputation as sending system even if you've to temporarily
> forbid the sending server causing the SPAM to use your own servers.
>
> A behaviour of bot SPAM is that they send mass e-mails forging random
> recipient e-mail addresses. that means you probably get an unusual amount
> of bounces or deferred e-mails on your Postfix servers. You could find in
> your Postfix logs the sender e-mail addresses causing the most important
> part of bounces and/or deferred to identify the source of the attack and
> block it at Postfix level.
>
> If, as you wrote, it is a slow attack, a latent one, then try to find a
> tool that will be able to detect it and define Postfix policies on the fly
> as counter measures. You might find Postfix Policy Servers or daemons able
> to provide such kind of feature, like the X-Itools ELSE project with its
> RTAAM engine for example.
>
>
>
> Le 04/02/2015 14:34, Dave Jones a écrit :
>
> I have a sneaky spammer that is using compromised accounts of a mail
>> server that relays outbound through my Postfix servers. The spammer is
>> Bcc'ing 200 or 300 recipients at a time and sending very slowly to avoid my
>> high volume detection. I need to be able to add a header that SpamAssassin
>> can use to score based on a combination of other rules. I also want to
>> maintain the privacy of the Bcc'd recipients.
>> I am pretty sure this could be done in a milter but I was not able to
>> find a milter out there that does this. I guess I could learn how to make
>> a milter that just counts the recipients and add a header.
>> I was thinking something like an X header that could be set to a value
>> ("Low", "Medium", or "High") based on a range of recipients. I could
>> probably find a way to get Spamassassin to use the actual number of
>> recipients with a plugin if that can be added easily by Postfix or a milter.
>> P.S. In this instance, this spammer is sending out messages that don't
>> score high in SA. I can usually block outbound spam but he is sending
>> test/probe emails until they get through then blasting to a lot of Bcc
>> recipients which gets us listed on RBLs. Also the original mail server is
>> an Exchange server that does not add the X-Originating-IP or Received
>> headers of the sender so I could key off of that in SA.
>> Thanks,
>> Dave
>>
>
>
