This sounds painfully annoying.
I hope your uses never travel, take a vacation, or go on a work trip.
And it doesn't stop or help if the user gets a virus on their computer
that uses the local saved credentials on that computer, and also will
make cellphone mail completely unusable.
Quoting Sebastian Nielsen <sebast...@sebbe.eu>:
I think you are approaching this problem from the wrong end.
Instead of blocking compromised accounts, make sure they cannot be
compromised.
For example: Configure your server to only accept authentication
from valid IPs, for example company internal ones, or implement
geoIP blocking so if your organization is located in Country X,
whitelist Country X and then disallow every other country to login.
Another thing to implement is IP-range restriction. You could
implement this as a policy service, where the first login of a new
user will record the IP-range the user's ISP is using (This can be
enumerated by either doing a whois lookup against the user's IP,
or doing a ASN lookup against the user's ASN number). This will
return a range like 94.185.80.0 - 94.185.87.255 for a small ISP or a
larger range like x.x.0.0 to x.x.255.255 for a larger ISP.
Once a user has logged in for the first time, his account will be
locked to the ISP he is currently using.
This will cut down on comrpomised accounts and spam very much, since
the user's username and password is worthless to anyone who don't
have the same ISP as the account's owner.
If you dont want to restrain your users too much, you can always
allow receiving of POP3/IMAP mail worldwide without IP restriction,
and also allow internal mail, but relayed mail is subject to the IP
restriction.
-----Ursprungligt meddelande----- From: Chuck Peters
Sent: Saturday, April 18, 2015 8:16 PM
To: postfix-users@postfix.org
Subject: Blocking compromised accounts (outgoing spam) and auth cracking
I'm researching migrating some Exim servers to Postfix and would
like to implement automatic blocking of compromised and spammers'
accounts with notifications to staff. Any suggestions?
On the Exim user list today someone suggested
https://github.com/Exim/exim/wiki/BlockCracking.
Blocking compromised accounts (outgoing spam) and auth cracking
Nowadays users' passwords often are stolen (with drive-by exploits,
Windows malware, phishing) and used for spamming. Spam sent with
authentication via your server causes it to be blacklisted without
notice and sometimes no appeal. Simple rate limiting authenticated
users constrains honest users while still allowing spam to trickle
through, your server still ends up in blacklists. Each server needs
automatic detection and blocking of compromised accounts (stolen
passwords). I amended and implemented (for Exim version 4.67 or
higher) Andrew Hearn's idea to check not rate of messages or all
recipients, but rate of attempts to send to nonexistent recipient
email addresses. Vast majority of spammers never try to validate
every recipient address. Spammers harvest strings looking like email
addresses from webpages and disks of trojaned Windowses, then sell
huge lists of email addresses to each other. These lists contain
very much email addresses which don't exist anymore or never
existed: Message-Ids, corrupted strings in memory and files. In
short, spammers' lists of email addresses are much dirtier than
lists honest users send to. Honest users are very unlikely to
attempt to send to 100 nonexistent email addresses in one hour.
Below I explain in detail (for novices at Exim) what to change in
Exim config for automatic blocking of compromised and spammers'
accounts, with automatic email notification to sysadmin or your
abuse or support staff.
...
Thanks,
Chuck
