Re: [exim] Regarding spaming from the server

Top Page
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Subject: Re: [exim] Regarding spaming from the server
I wrote:

> > From: Todd Lyons
>
> > > How to block stolen passwords automatically:
> > > https://github.com/Exim/exim/wiki/BlockCracking
> >
> > Lena, one corner case of this is when a legitimate user has one device
> > with the wrong password. Picture a typical small office where two or
> > three people using a small NAT router to connect to their business
> > class DSL. One person changes their password and they fix it on their
> > iphone because they have to leave to go do something. They leave.
> > Their outlook is still open on their computer and someone comes by to
> > check something in the email. Outlook doesn't seem to be working
> > right so they hit the Send/Receive button multiple times. On the exim
> > server, the limit for bad user/pass combination gets hit and the ip
> > gets added to the blacklist. Now the whole office is blocked from
> > sending email.
> >
> > I'd like to ponder if there is a way to detect that the same incorrect
> > password is being sent over and over (indicating a misconfigured
> > device) as opposed to random passwords (indicating brute forcing). To
> > my knowledge the actual password nor a hash of it is not made
> > available anywhere except to the authenticator section. Can you dream
> > up any sequence that could be used to capture a hash of that password,
> > store it, and then use it to compare subsequent attempts?
>
> OK, untested changes for my code
> https://github.com/Exim/exim/wiki/BlockCracking :
>
> 1. Replacement for "accept" at the end of acl_check_auth:
>
>   accept set acl_c_authhash = ${if match{$smtp_command_argument}\
>           {\N(?i)^(?:plain|login) (.+)$\N}{${nhash_1000:$1}}}

>
> 2. Replacement for entire acl_check_quit:
>
>   warn  condition = $authentication_failed
>         condition = ${if def:acl_c_authhash}
>         ratelimit = 7 / 5m / strict / $sender_host_address-$acl_c_authhash

>
>   warn  condition = $authentication_failed
>         condition = ${if def:acl_c_authhash}
>         set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}}

>
>   warn  condition = $authentication_failed
>         logwrite = :reject: quit after authentication failed: \
>                             ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
>         ratelimit = 7 / 5m / strict / per_conn
>         condition = ${if or{\
>                             {!def:acl_c_authhash}\
>                             {<{$acl_c_hashrate}{2}}\
>                            }}
>         continue = ${run{SHELL -c "echo $sender_host_address \
>            >>$spool_directory/blocked_IPs; \
>            \N{\N echo Subject: $sender_host_address blocked; echo; echo \
>            for bruteforce auth cracking attempt.; \
>            \N}\N | EXIMBINARY WARNTO"}}


"logwrite $smtp_command_argument" in acl_check_auth revealed that
sendmail+sasl (acting as a client) gives long "AUTH PLAIN ..." command
which includes base64-encoded username and password, but
Outlook Express under Windows XP gives short "AUTH LOGIN" command
and supplies username and passwords only in replies to prompts.
Perhaps other Microsoft's mail clients do the same.
In such cases username and password are available only during
expansion of server_condition and server_set_id in authenticator.
In order to pass hash of username and password into acl_check_quit,
new Exim feature ${acl{ needs to be used. It's implemented:
http://git.exim.org/exim.git/commit/3e8abda0fa92b78c4a3dfbad940b12fc90c241e3
but not included in Exim 4.80.1.
In future Exim 4.81 this should work instead of the "1." above:

begin acl
hash:
accept set acl_c_authhash = ${nhash_1000:$acl_arg1}

...

begin authenticators
PLAIN:
driver = plaintext
server_set_id = $auth2${acl{hash}{$auth2,$auth3}}
server_condition = ...

LOGIN:
driver = plaintext
server_prompts = Username:: : Password::
server_set_id = $auth1${acl{hash}{$auth1,$auth2}}
server_condition = ...