On Thu, Aug 8, 2013 at 7:03 AM, Marcin Gryszkalis <mg@???> wrote:
>> Implement this at first: https://github.com/Exim/exim/wiki/BlockCracking
> Thanks, I'll look at this tonight.
The exim configuration above will get rid of nearly all of your issues.
>>> After detecting unusual rate of mails from one account
>> How much exactly and per what time period do you consider unusual?
> I'm doing simple statistics, ie. I keep counters in database (aggregated for
> day and account):
> mails, traffic size and recipients number. So I can see that this particular
> user sends for
> example average of 10 mails per day (averaged over 30 days). If I see 500%
> increase in number
> of mails sent then it means that something's wrong.
> I also have some static thresholds (like 1000 recipients/day) for cases when
> above statistics fail.
Behavior of the abuse source indicates what's ultimately doing it
1) Multiple IP's send with SMTP Auth, more than N ip addresses per
$INTERVAL. Typical of a botnet. How did the botnet get the
user/pass? Could be trojan on his windows machine. Could be your
pop/imap servers don't detect and/or block brute force. Could be your
smtp auth servers don't detect and/or block brute force. (The URL
authored by Lena will solve MUCH of this for you).
2) One single IP sends with SMTP Auth, more than N messages per
$INTERVAL. Typical of a spamware trojan on the customer's computer.
2b) One single IP sends with SMTP Auth, more than N messages per connection.
>> Did you ever see a botnet to use SMTP and IMAP/POP3 for the same account
>> simultaneously? For what?
No, not noticed, but...
> I've seen bots gathering valid recipients from victim's mailbox (this is
> what I guess - they just
> checked headers for all emails).
I never looked for this particular signal. I'll pay attention in the future.
>> But I'm interested how many messages this will in fact drop.
>> If you are really sure that such botnet does in fact use
>> multiple simultaneous connections authenticated with the same account
>> then you can add to the code linked above:
Here is a typical botnet abused account for me:
2013-08-01 -> mailbox joe@???: (13)
109.162.53.114 => 1
113.179.7.245 => 1
178.127.206.42 => 1
178.172.228.184 => 1
178.45.98.44 => 1
212.76.21.55 => 1
213.111.169.21 => 1
37.212.92.153 => 1
37.45.134.250 => 1
37.45.202.213 => 1
46.28.69.81 => 1
77.121.250.77 => 1
84.238.189.212 => 1
Last connection from 77.121.250.77 at 11:59:03
> I'm sure, recently I've seen something like 20+ simultaneous connection
> attempts from different IPs.
> Even worse - it looked a bit similar to ssh-dictionary-attack bots: every
> bot/ip was used to send
> no more than 1-3 mails.
I see that too. They keep the number of emails per session down so
that it doesn't trip other types of spam detection (i.e. 2b above).
...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine
