Re: [exim] Dealing with Authenticated SMTP spam

Top Page
This message is part of the following thread:
M+-++++\the complete thread tree sorted by date
MM\MMMMMPaul Warren at <-
MMMMMMTodd Lyons at ->
Delete this message
Reply to this message
Author: Jasen Betts
Date:  
To: exim-users
Subject: Re: [exim] Dealing with Authenticated SMTP spam
On 2014-05-27, Paul Warren <pdw@???> wrote:
> We're seeing a growing problem of spam being sent through our servers
> using compromised authenticated SMTP credentials.
>
> We suspect that the credentials are being stolen using malware on the
> users' computers (over which we have no control).
>
> Obviously we block the accounts as quickly as possible once we become
> aware of the problem, but typically by this point we'll be on multiple
> blacklists.
>
> Does anyone have any suggestions for detecting and blocking, or at least
> limiting the impact of, such attacks?

Some sort of rate-limit on the credential.



You could start compiling a list of spamtrap domains. (but you'll only
find them the hard way)

> We're currently considering rate-limiting, or trying to detect where a
> single user is using multiple IPs in quick succession.

Multi ips could be valid if they used the same creds for their laptop,
phone, and document scanner. or if it's shared amongst a team.



--
umop apisdn


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] LMTP deliver to subfoldersRe: [exim] LMTP deliver to subfolders->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)