Re: [exim] Regarding spaming from the server

Top Pagina
Delete this message
Reply to this message
Auteur: Lena
Datum:  
Aan: exim-users
Onderwerp: Re: [exim] Regarding spaming from the server
P.S.

> From: Todd Lyons


> > How to block stolen passwords automatically:
> > https://github.com/Exim/exim/wiki/BlockCracking
>
> Lena, one corner case of this is when a legitimate user has one device
> with the wrong password. Picture a typical small office where two or
> three people using a small NAT router to connect to their business
> class DSL. One person changes their password and they fix it on their
> iphone because they have to leave to go do something. They leave.
> Their outlook is still open on their computer and someone comes by to
> check something in the email. Outlook doesn't seem to be working
> right so they hit the Send/Receive button multiple times. On the exim
> server, the limit for bad user/pass combination gets hit and the ip
> gets added to the blacklist. Now the whole office is blocked from
> sending email.
>
> I'd like to ponder if there is a way to detect that the same incorrect
> password is being sent over and over (indicating a misconfigured
> device) as opposed to random passwords (indicating brute forcing). To
> my knowledge the actual password nor a hash of it is not made
> available anywhere except to the authenticator section. Can you dream
> up any sequence that could be used to capture a hash of that password,
> store it, and then use it to compare subsequent attempts?


OK, untested changes for my code
https://github.com/Exim/exim/wiki/BlockCracking :

1. Replacement for "accept" at the end of acl_check_auth:

  accept set acl_c_authhash = ${if match{$smtp_command_argument}\
          {\N(?i)^(?:plain|login) (.+)$\N}{${nhash_1000:$1}}}


2. Replacement for entire acl_check_quit:

  warn  condition = ${if def:authentication_failed}
        condition = $authentication_failed
        condition = ${if def:acl_c_authhash}
        ratelimit = 7 / 5m / strict / $sender_host_address-$acl_c_authhash


  warn  condition = ${if def:authentication_failed}
        condition = $authentication_failed
        condition = ${if def:acl_c_authhash}
        set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}}


  warn  condition = ${if def:authentication_failed}
        condition = $authentication_failed
        logwrite = :reject: quit after authentication failed: \
                            ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
        ratelimit = 7 / 5m / strict / per_conn
        condition = ${if or{\
                            {!def:acl_c_authhash}\
                            {<{$acl_c_hashrate}{2}}\
                           }}
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N echo Subject: $sender_host_address blocked; echo; echo \
           for bruteforce auth cracking attempt.; \
           \N}\N | EXIMBINARY WARNTO"}}


> From: Cyborg


> That will block most customers, who try to send valid newsletters :)
> 10% or more of the address database of those newslettersenders is
> invalid and old addresses.


Do those customers/senders ignore bounces?