Author: Paul Warren Date: To: exim-users Subject: [exim] Dealing with Authenticated SMTP spam
We're seeing a growing problem of spam being sent through our servers
using compromised authenticated SMTP credentials.
We suspect that the credentials are being stolen using malware on the
users' computers (over which we have no control).
Obviously we block the accounts as quickly as possible once we become
aware of the problem, but typically by this point we'll be on multiple
blacklists.
Does anyone have any suggestions for detecting and blocking, or at least
limiting the impact of, such attacks?
We're currently considering rate-limiting, or trying to detect where a
single user is using multiple IPs in quick succession.