Re: [exim] Dealing with Authenticated SMTP spam

Top Page
Delete this message
Reply to this message
Author: Bertrand Cherrier
Date:  
To: exim-users
Subject: Re: [exim] Dealing with Authenticated SMTP spam
Hi Paul,

I’m dealing with this on a daily basis :(
My solution (not the perfect one !) is to allow only auth on TLS/submission (port 587) from outside our IP range for relay.
After only a few days, the problem came back.
I’ve applied a rate limit to 2 email per minute for relay request outside our IP range.

I still monitor compromised smtp account so I can reset the customer password.
But I’m done with playing with outbound smtp server while requesting to be de-listed from blacklist !

Hope this helps ...

Le 28 mai 2014 à 05:03, Paul Warren <pdw@???> a écrit :

> We're seeing a growing problem of spam being sent through our servers using compromised authenticated SMTP credentials.
>
> We suspect that the credentials are being stolen using malware on the users' computers (over which we have no control).
>
> Obviously we block the accounts as quickly as possible once we become aware of the problem, but typically by this point we'll be on multiple blacklists.
>
> Does anyone have any suggestions for detecting and blocking, or at least limiting the impact of, such attacks?
>
> We're currently considering rate-limiting, or trying to detect where a single user is using multiple IPs in quick succession.
>
> thanks,
>
> Paul
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/





             Bertrand Cherrier, Administrateur Systèmes
    b.cherrier@???             www.mls.nc     
    @micrologicnc             Sur facebook


Téléphone: 24 99 24
VoIP: 65 24 99 24
Service Clientèle: 36 67 76 (58F/min)