Hi Paul,
I’m dealing with this on a daily basis :(
My solution (not the perfect one !) is to allow only auth on TLS/submission (port 587) from outside our IP range for relay.
After only a few days, the problem came back.
I’ve applied a rate limit to 2 email per minute for relay request outside our IP range.
I still monitor compromised smtp account so I can reset the customer password.
But I’m done with playing with outbound smtp server while requesting to be de-listed from blacklist !
Hope this helps ...
Le 28 mai 2014 à 05:03, Paul Warren <pdw@???> a écrit :
> We're seeing a growing problem of spam being sent through our servers using compromised authenticated SMTP credentials.
>
> We suspect that the credentials are being stolen using malware on the users' computers (over which we have no control).
>
> Obviously we block the accounts as quickly as possible once we become aware of the problem, but typically by this point we'll be on multiple blacklists.
>
> Does anyone have any suggestions for detecting and blocking, or at least limiting the impact of, such attacks?
>
> We're currently considering rate-limiting, or trying to detect where a single user is using multiple IPs in quick succession.
>
> thanks,
>
> Paul
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
Bertrand Cherrier, Administrateur Systèmes
b.cherrier@??? www.mls.nc
@micrologicnc Sur facebook
Téléphone: 24 99 24
VoIP: 65 24 99 24
Service Clientèle: 36 67 76 (58F/min)