Re: [exim] Dealing with Authenticated SMTP spam

Startseite
Diese Nachricht ist Teil des folgenden Threads:
M+-++++\Der komplette Thread sortiert nach Datum
MM\MMMMMPaul Warren am <-
MMMMMMTodd Lyons am ->
Nachricht löschen
Nachricht beantworten
Autor: Jasen Betts
Datum:  
To: exim-users
Betreff: Re: [exim] Dealing with Authenticated SMTP spam
On 2014-05-27, Paul Warren <pdw@???> wrote:
> We're seeing a growing problem of spam being sent through our servers
> using compromised authenticated SMTP credentials.
>
> We suspect that the credentials are being stolen using malware on the
> users' computers (over which we have no control).
>
> Obviously we block the accounts as quickly as possible once we become
> aware of the problem, but typically by this point we'll be on multiple
> blacklists.
>
> Does anyone have any suggestions for detecting and blocking, or at least
> limiting the impact of, such attacks?

Some sort of rate-limit on the credential.



You could start compiling a list of spamtrap domains. (but you'll only
find them the hard way)

> We're currently considering rate-limiting, or trying to detect where a
> single user is using multiple IPs in quick succession.

Multi ips could be valid if they used the same creds for their laptop,
phone, and document scanner. or if it's shared amongst a team.



--
umop apisdn


Diese Nachricht wurde auf der folgenden Mailing-List gepostet:
Exim-users
Mailing-List-Info | Nachrichten um die Zeit		<-[exim] LMTP deliver to subfoldersRe: [exim] LMTP deliver to subfolders->
Tahini and Hummus and Cumin Development Archives administriert von cumin AdminsLurker (Version 2.3)