Re: [exim] Dealing with Authenticated SMTP spam

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Paul Warren
Datum:  
To: exim-users
Betreff: Re: [exim] Dealing with Authenticated SMTP spam
On 28/05/2014 14:02, Jasen Betts wrote:
> On 2014-05-27, Paul Warren <pdw@???> wrote:
>> We're seeing a growing problem of spam being sent through our servers
>> using compromised authenticated SMTP credentials.


>> Does anyone have any suggestions for detecting and blocking, or at least
>> limiting the impact of, such attacks?
>
> You could start compiling a list of spamtrap domains. (but you'll only
> find them the hard way)


Can you elaborate on what you mean by this one?

>> We're currently considering rate-limiting, or trying to detect where a
>> single user is using multiple IPs in quick succession.
>
> Multi ips could be valid if they used the same creds for their laptop,
> phone, and document scanner. or if it's shared amongst a team.


True. Multiple IPs in quick succession (or even simultaneously) seem to
be a feature of the attacks that we've seen, but perhaps trying to block
based on this feature without false positives isn't feasible.

Paul