Re: [exim] Kick user - force disconnect authenticated sessio…

Góra strony
Delete this message
Reply to this message
Autor: Lena
Data:  
Dla: exim-users
Temat: Re: [exim] Kick user - force disconnect authenticated sessions
> From: Marcin Gryszkalis

> I wonder if it's possible to disconnect all active sessions for given
> authenticated user.


> It would be used to close sessions used by accounts stolen by spammers.


Do you already have compromised accounts blocked when automatically detected?
If no then automatic blocking of new RCPT commands for blocked account
(and dropping all already accepted recipients of the spam message which
was the last straw which triggered the detector) is better than nothing,
and I don't see much difference from killing connections.
Implement this at first: https://github.com/Exim/exim/wiki/BlockCracking
After it triggers, tell us whether it in fact did its job
and how much unfrozen spams via that compromised account in the queue
did you see. You'll see frozen spam, but I'm interested in
quantity of unfrozen.

> After detecting unusual rate of mails from one account


How much exactly and per what time period do you consider unusual?

> I lock it in database, freeze
> all suspiciousmails in queue, send alert to postmaster


The code linked above does all this.

> and close all imap/pop3
> sessions (with `doveadm kick user@`)


Did you ever see a botnet to use SMTP and IMAP/POP3 for the same account
simultaneously? For what?

> From: Mike Cardwell


> Couldn't you just perform a check in the pre-data acl
> to see if the user has been blocked and perform a "drop" if
> they have? It wouldn't give you an immediate disconnect, but
> it would disconnect them as soon as they try to send another
> email on an existing connection. Practically speaking, it
> probably would drop connections just as fast as anything
> else you come up with...


Yes, this is as good as instant killing of connections,
and better than parsing logs.
But I'm interested how many messages this will in fact drop.
If you are really sure that such botnet does in fact use
multiple simultaneous connections authenticated with the same account
then you can add to the code linked above:

acl_check_predata:
  accept authenticated = *
        condition = ${if exists{$spool_directory/blocked_authenticated_users}}
        condition = ${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_authenticated_users}{1}{0}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Authenticated-As: $acl_m_user


  accept hosts = !@[] : +relay_from_hosts
        condition = ${if exists{$spool_directory/blocked_relay_users}}
        condition = ${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_relay_users}{1}{0}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Relayed-From: $acl_m_user


accept

and same in acl_check_data (even less likely to catch some more).