> I have a doubt: > If a user authenticates with SMTP auth. All filters are ignored? > If true, Why? > All filters other than the reply delay (earlytalker filter) are, as far as I'm aware, disabled when smtp authentication happens.
But I was going to post about this too. I also would love the *option* to enable filters even if there's authentication. Sam, please can you consider this for a future version? I know it is unusual to want filtering enabled if there's authentication going on. Let me explain why I want it: We get 100s of connections from botnets (almost every connection is from a different IP, so fail2ban etc is no good) trying smtp auth dictionary attacks. They also use username/password combos from hacked third party sites (some of which made the news) where the password were not encrypted/didn't have salt. In order to reduce the impact of such attacks, I want to block smtp auth from certain countries - countries where we have no customers and therefore nobody should be authenticating from them. These countries are where the bulk of these attacks are coming from. Firewalling is not an option as there are too many IPs involved. I already have an local dnsbl set up with country-specific IP ranges loaded, which I already use in conjunction with mod_security on port 80 (and also via spamdyke on port 25 ). But I want to use this on port 587 too, even when someone authenticates correctly. Yes, I know, there is the potential for some issues -- what if a customer goes on vacation to a country that I've blocked. But in general I'm willing to risk this. I also want to block smtp auth if the connecting IP has no rDNS. I've been looking at my logs, and not one single legitimate auth in the past 30 days has come from an IP with no rDNS. But a reasonable proportion of botnet auth attempts have come from IPs with no rDNS. So basically that's why I would like the option to enable the usual dnsbl, rdns, etc etc filtering rules even if authentication happens. Ideally I'd like a special error message when there's a successful auth from a "filtered" IP. This would immediately tell me that the bad guys most likely have someone's real username/password combo, allowing me to change the password on that account before any damage has occurred. In addition, please can there also be a time limit option on successful smtp auth connections please? Last week I had a spammer who authenticated and stayed connected for two and a half hours sending spam after spam (not too much damage was done as I saw it happen and stopped the outgoing queue -- I just got confused and didn't think to kill the qmail-smtpd process manually. But that's another story). _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
