On 2013-08-08, Lena@??? <Lena@???> wrote:
>> From: Marcin Gryszkalis
>
>> I wonder if it's possible to disconnect all active sessions for given
>> authenticated user.
>
>> It would be used to close sessions used by accounts stolen by spammers.
>
> Do you already have compromised accounts blocked when automatically detected?
> If no then automatic blocking of new RCPT commands for blocked account
> (and dropping all already accepted recipients of the spam message which
> was the last straw which triggered the detector) is better than nothing,
> and I don't see much difference from killing connections.
> Implement this at first: https://github.com/Exim/exim/wiki/BlockCracking
> After it triggers, tell us whether it in fact did its job
> and how much unfrozen spams via that compromised account in the queue
> did you see. You'll see frozen spam, but I'm interested in
> quantity of unfrozen.
>
>> After detecting unusual rate of mails from one account
>
> How much exactly and per what time period do you consider unusual?
>
>> I lock it in database, freeze
>> all suspiciousmails in queue, send alert to postmaster
>
> The code linked above does all this.
>
>> and close all imap/pop3
>> sessions (with `doveadm kick user@`)
>
> Did you ever see a botnet to use SMTP and IMAP/POP3 for the same account
> simultaneously? For what?
I've seen them use dictionary attacks against POP3 to get passwords for
SMTP-AUTH (or presumably for SMTP-after-POP3)
--
⚂⚃ 100% natural
