Re: [exim] Kick user - force disconnect authenticated sessio…

Top Page
Delete this message
Reply to this message
Author: Marcin Gryszkalis
Date:  
To: Exim Users
Subject: Re: [exim] Kick user - force disconnect authenticated sessions
On 2013-08-08 14:19, Lena@??? wrote:
>> It would be used to close sessions used by accounts stolen by
>> spammers.
>
> Do you already have compromised accounts blocked when automatically
> detected?


yes

> If no then automatic blocking of new RCPT commands for blocked account
> (and dropping all already accepted recipients of the spam message which
> was the last straw which triggered the detector) is better than
> nothing,
> and I don't see much difference from killing connections.


I think I may see difference (see below)

> Implement this at first:
> https://github.com/Exim/exim/wiki/BlockCracking


Thanks, I'll look at this tonight.

>> After detecting unusual rate of mails from one account
>
> How much exactly and per what time period do you consider unusual?


I'm doing simple statistics, ie. I keep counters in database (aggregated
for day and account):
mails, traffic size and recipients number. So I can see that this
particular user sends for
example average of 10 mails per day (averaged over 30 days). If I see
500% increase in number
of mails sent then it means that something's wrong.

I also have some static thresholds (like 1000 recipients/day) for cases
when above statistics fail.

> Did you ever see a botnet to use SMTP and IMAP/POP3 for the same
> account
> simultaneously? For what?


I've seen bots gathering valid recipients from victim's mailbox (this is
what I guess - they just
checked headers for all emails).

> But I'm interested how many messages this will in fact drop.
> If you are really sure that such botnet does in fact use
> multiple simultaneous connections authenticated with the same account
> then you can add to the code linked above:


I'm sure, recently I've seen something like 20+ simultaneous connection
attempts from different IPs.
Even worse - it looked a bit similar to ssh-dictionary-attack bots:
every bot/ip was used to send
no more than 1-3 mails.

best regards
--
Marcin Gryszkalis, PGP 0x9F183FA3
jabber jid:mg@???, gg:2532994