On Tue, 27 May 2014, Paul Warren wrote:
> From: Paul Warren <pdw@???>
> To: exim-users@???
> Date: Tue, 27 May 2014 19:03:23
> Subject: [exim] Dealing with Authenticated SMTP spam
>
> We're seeing a growing problem of spam being sent through our
> servers using compromised authenticated SMTP credentials.
...
> Does anyone have any suggestions for detecting and blocking, or at
> least limiting the impact of, such attacks?
>
> We're currently considering rate-limiting, or trying to detect
> where a single user is using multiple IPs in quick succession.
There's stuff in the Exim Wiki on precisely this subject. Have a
look at Lena's suggested solution:
https://github.com/Exim/exim/wiki/BlockCracking
which may give you a few ideas even if it isn't precisely what's
required.
I've never had to use anything like this myself so the above is just
about all I know on the subject. But I get the distict impression
that the above is a well-crafted solution.
At the organisation where I used to work, we saw compromised
accounts sending spam via the webmail server. Probably being script
driven. So you may get a few hints from your webmail server if you
run one. That server will see the connecting IP's, whereas exim may
only see connections from the webmail server. Webmail server logs
may be of interest.
--
Dennis Davis <dennisdavis@???>