[exim] How to catch stolen passwords and outgoing spam

Top Page

Reply to this message
Author: Lena
Date:  
To: exim-users
Old-Topics: Re: [exim] Open relay?
Subject: [exim] How to catch stolen passwords and outgoing spam
> From: Ralph Ballier

> What can I do against such abuse, if somebody loose username and password?
> Is it possible to limit the number of mails from one unser per minute or so?


Yes, but such limits inconvenience honest people.
Another way was proposed on this list: to check not rate of
messages or total recipients, but rate of attempts to send to
invalid (nonexistent) recipients because spammers and spambots
send to much more dirty lists of email addresses than honest people:
large part of email addresses in spammers' lists don't exist anymore
or never existed (Message-Ids and corrupted strings in memory
taken by address harvesters as email addresses).

Moreover, just a limit is not enough, the compromised password needs
to be authomatically blocked, with notification to admin or abuse desk.
My implementation:

LIM = 100
PERIOD = 1h
WARNTO = abuse@???
EXIMBINARY = /usr/local/sbin/exim -f root
SHELL = /bin/sh
begin acl
acl_check_rcpt:
...
  accept authenticated = *
        set acl_m_user = $authenticated_id
# in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
        condition = ${if exists{$spool_directory/blocked_authenticated_users}}
        condition = ${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_authenticated_users}{1}{0}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Authenticated-As: $acl_m_user


  accept authenticated = *
        !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
        ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_authenticated_users; \
           \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
           has sent mail to LIM invalid recipients during PERIOD.; \
           \N}\N | EXIMBINARY WARNTO"}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Authenticated-As: $acl_m_user


  accept authenticated = *
        control = submission/domain=


  accept hosts = !@[] : +relay_from_hosts
        set acl_m_user = $sender_host_address
             # or an userid from RADIUS
        condition = ${if exists{$spool_directory/blocked_relay_users}}
        condition = ${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_relay_users}{1}{0}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Relayed-From: $acl_m_user


  accept hosts = !@[] : +relay_from_hosts
        !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
        ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_relay_users; \
           \N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
           because has sent mail to LIM invalid recipients during PERIOD.; \
           \N}\N | EXIMBINARY WARNTO"}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Relayed-From: $acl_m_user


  accept  hosts         = +relay_from_hosts
          control       = submission/domain=



When abuse desk receives a warning message about authomatically blocked user,
they need to inspect content of few frozen messages in the queue
using `exipick`. If it's spam then change the user's password
and fine the user (according to contract) for not guarding against
Windows malware stealing passwords (or for falling for phishing),
meanwhile keep frozen messages as evidence until the fine is exacted.
In unlikely case if it's not spam, delete the line with the username from
the blocked users file with a text editor (or delete the file if it
contains only one line which is likely) and unfreeze messages
also using `exipick`.