Author: Paul Warren Date: To: Todd Lyons CC: exim-users Subject: Re: [exim] Dealing with Authenticated SMTP spam
On 28/05/2014 14:31, Todd Lyons wrote: > On Tue, May 27, 2014 at 11:03 AM, Paul Warren <pdw@???> wrote:
>> We're seeing a growing problem of spam being sent through our servers using
>> compromised authenticated SMTP credentials.
>> We suspect that the credentials are being stolen using malware on the users'
>> computers (over which we have no control).
>
> Or the user/pass is weak, or the user/pass is the same as some other
> system that it was obtained from. It's a very common problem.
True, although we've got no evidence of brute forcing, and I'd be
slightly surprised if the miscreants would go the effort of locating our
mail server details based on credentials obtained from elsewhere (I
can't see how that part could be automated).
> Here are a few areas that I've had to directly address when dealing with abuse:
>
> 1. Single user coming from multiple IP's to auth - I wrote something
> which tailed the logs, extracts SMTP Auth logins, and puts the IP's an
> account logs in from into memcache. When the number of IP's exceeds a
> threshhold. change the account's password (allows them to still
> receive email, but it stops them from logging in).
OOI how does that allow them to receive email? Or do you mean that you
queue it?
> Beware that mobile
> phones are the wildcard here. Lots of mobile phone systems appear to
> change IP's as it moves from tower to tower, so you have to identify
> those ranges which can be counted as "one" access.
That's worth knowing. We've got a one-liner which gives us volume by IP
and account ID which is good at showing us problems, but it's not yet
automatically doing anything with it.
Thanks for the other suggestions too - plenty to think about.
