Re: [exim] Kick user - force disconnect authenticated sessio…

Top Pagina
Delete this message
Reply to this message
Auteur: Todd Lyons
Datum:  
Aan: Marcin Gryszkalis
CC: Exim Users
Onderwerp: Re: [exim] Kick user - force disconnect authenticated sessions
On Thu, Aug 8, 2013 at 7:03 AM, Marcin Gryszkalis <mg@???> wrote:
>> Implement this at first: https://github.com/Exim/exim/wiki/BlockCracking
> Thanks, I'll look at this tonight.


The exim configuration above will get rid of nearly all of your issues.

>>> After detecting unusual rate of mails from one account
>> How much exactly and per what time period do you consider unusual?
> I'm doing simple statistics, ie. I keep counters in database (aggregated for
> day and account):
> mails, traffic size and recipients number. So I can see that this particular
> user sends for
> example average of 10 mails per day (averaged over 30 days). If I see 500%
> increase in number
> of mails sent then it means that something's wrong.
> I also have some static thresholds (like 1000 recipients/day) for cases when
> above statistics fail.


Behavior of the abuse source indicates what's ultimately doing it

1) Multiple IP's send with SMTP Auth, more than N ip addresses per
$INTERVAL. Typical of a botnet. How did the botnet get the
user/pass? Could be trojan on his windows machine. Could be your
pop/imap servers don't detect and/or block brute force. Could be your
smtp auth servers don't detect and/or block brute force. (The URL
authored by Lena will solve MUCH of this for you).

2) One single IP sends with SMTP Auth, more than N messages per
$INTERVAL. Typical of a spamware trojan on the customer's computer.

2b) One single IP sends with SMTP Auth, more than N messages per connection.


>> Did you ever see a botnet to use SMTP and IMAP/POP3 for the same account
>> simultaneously? For what?


No, not noticed, but...

> I've seen bots gathering valid recipients from victim's mailbox (this is
> what I guess - they just
> checked headers for all emails).


I never looked for this particular signal. I'll pay attention in the future.

>> But I'm interested how many messages this will in fact drop.
>> If you are really sure that such botnet does in fact use
>> multiple simultaneous connections authenticated with the same account
>> then you can add to the code linked above:


Here is a typical botnet abused account for me:

2013-08-01 -> mailbox joe@???: (13)
  109.162.53.114 => 1
  113.179.7.245 => 1
  178.127.206.42 => 1
  178.172.228.184 => 1
  178.45.98.44 => 1
  212.76.21.55 => 1
  213.111.169.21 => 1
  37.212.92.153 => 1
  37.45.134.250 => 1
  37.45.202.213 => 1
  46.28.69.81 => 1
  77.121.250.77 => 1
  84.238.189.212 => 1
    Last connection from 77.121.250.77 at 11:59:03


> I'm sure, recently I've seen something like 20+ simultaneous connection
> attempts from different IPs.
> Even worse - it looked a bit similar to ssh-dictionary-attack bots: every
> bot/ip was used to send
> no more than 1-3 mails.


I see that too. They keep the number of emails per session down so
that it doesn't trip other types of spam detection (i.e. 2b above).

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine