Re: [exim] Dealing with Authenticated SMTP spam

Top Page
This message is part of the following thread:
M+-++++\the complete thread tree sorted by date
MM\MMMMMJasen Betts at <-
MMMMMMPaul Warren at ->
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: Paul Warren
CC: exim-users
Subject: Re: [exim] Dealing with Authenticated SMTP spam
On Tue, May 27, 2014 at 11:03 AM, Paul Warren <pdw@???> wrote:
> We're seeing a growing problem of spam being sent through our servers using
> compromised authenticated SMTP credentials.
> We suspect that the credentials are being stolen using malware on the users'
> computers (over which we have no control).

Or the user/pass is weak, or the user/pass is the same as some other
system that it was obtained from. It's a very common problem.

> Obviously we block the accounts as quickly as possible once we become aware
> of the problem, but typically by this point we'll be on multiple blacklists.

Right, the trick is to automate the detection. Sounds easy, a bit
harder in practice. Another poster I feel was extremely insightful
with the labels of fast and slow detection.

> Does anyone have any suggestions for detecting and blocking, or at least
> limiting the impact of, such attacks?
> We're currently considering rate-limiting, or trying to detect where a
> single user is using multiple IPs in quick succession.

Here are a few areas that I've had to directly address when dealing with abuse:

1. Single user coming from multiple IP's to auth - I wrote something
which tailed the logs, extracts SMTP Auth logins, and puts the IP's an
account logs in from into memcache. When the number of IP's exceeds a
threshhold. change the account's password (allows them to still
receive email, but it stops them from logging in). Beware that mobile
phones are the wildcard here. Lots of mobile phone systems appear to
change IP's as it moves from tower to tower, so you have to identify
those ranges which can be counted as "one" access.

2. Single user sending out lots of emails - Using ratelimiting to
control. Have limits set per hour and per 24 hour period. Anytime we
find a customer hitting these limits, we strongly advise them to use
the CRM system, which provides much better feedback/tracking, bounce
detection, unsubscribe, etc, as compared to just sending out via SMTP
Auth.

3. Single user sending out lots of emails but using a bogus envelope
from - We had a problem a while back where a lot of email was seeming
to originate from *@aol.com. I had to specifically block that
envelope sender for smtp auth accounts (and did the same for *@yahoo
and *@gmail).

4. Single user sending out reasonable amount of email, but a large
percentage of them are rejected - Have to have the smarts to determine
that a rejection is a bounce due to invalid/non-existent user, as
opposed to rejected because it scored as spam, or recipient hates the
sender and added them to a blacklist, etc. Detect invalid recipients
and provide customer with the list, a warning, and instruct them to
remove invalid users.

5. Lena's cracked account blocking - FREAKING AWESOME

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Delaying first delivery from queueRe: [exim] Delaying first delivery from queue->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)