Re: [exim] Dealing with Authenticated SMTP spam

Top Page
Delete this message
Reply to this message
Author: Ken Simpson
Date:  
To: exim-users@exim.org
Subject: Re: [exim] Dealing with Authenticated SMTP spam
As you scale up, tools like LogStash and ElasticSearch and/or Splunk become
important in the fight. We deal with tens of millions of messages a day and
would absolutely die without good log indexing and search capabilities.

I recall a talk by the former Anti-spam Czar at Yahoo! He stressed the
importance of building both fast and slow abuse prevention tactics into
your system. Fast tactics include things like rate limiting, content
filtering, and recipient validation. Slow tactics involve analysis of
historical logs to look for longer term patterns of abuse. You can get
arbitrarily sophisticated at both the slow and fast ends of the spectrum.

Another thing we have found very useful is to send different kinds of
outbound email traffic out of different IP addresses. For example, send
your PHP script email out of one IP, and your webmail email out of another
IP address. You might further want to have email from within your network
go out through one IP, and email from users logged in from overseas flow
out through another. Email receivers will learn from the type of email that
comes out of each IP, and treat each stream accordingly, which can reduce
your likelihood of running in to blacklist problems.

Good luck - this is a huge challenge.

Regards,
Ken



On Tue, May 27, 2014 at 2:30 PM, Bertrand Cherrier <b.cherrier@???
> wrote:


> Hi Paul,
>
> I’m dealing with this on a daily basis :(
> My solution (not the perfect one !) is to allow only auth on
> TLS/submission (port 587) from outside our IP range for relay.
> After only a few days, the problem came back.
> I’ve applied a rate limit to 2 email per minute for relay request outside
> our IP range.
>
> I still monitor compromised smtp account so I can reset the customer
> password.
> But I’m done with playing with outbound smtp server while requesting to be
> de-listed from blacklist !
>
> Hope this helps ...
>
> Le 28 mai 2014 à 05:03, Paul Warren <pdw@???> a écrit :
>
> > We're seeing a growing problem of spam being sent through our servers
> using compromised authenticated SMTP credentials.
> >
> > We suspect that the credentials are being stolen using malware on the
> users' computers (over which we have no control).
> >
> > Obviously we block the accounts as quickly as possible once we become
> aware of the problem, but typically by this point we'll be on multiple
> blacklists.
> >
> > Does anyone have any suggestions for detecting and blocking, or at least
> limiting the impact of, such attacks?
> >
> > We're currently considering rate-limiting, or trying to detect where a
> single user is using multiple IPs in quick succession.
> >
> > thanks,
> >
> > Paul
> >
> >
> > --
> > ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/
> > ## Please use the Wiki with this list - http://wiki.exim.org/
>
>
>
>
>                 Bertrand Cherrier, Administrateur Systèmes
>         b.cherrier@???                        www.mls.nc
>         @micrologicnc                   Sur facebook

>
> Téléphone: 24 99 24
> VoIP: 65 24 99 24
> Service Clientèle: 36 67 76 (58F/min)
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>




--
*Ken Simpson*, CEO
MailChannels

Tel: *604-685-7488*
www.mailchannels.com
twitter.com/ttul* | *ca.linkedin.com/in/ksimpson