Re: [exim] Dealing with Authenticated SMTP spam

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MKen Simpson at <-
MJasen Betts at ->
Delete this message
Reply to this message
Author: Paul Warren
Date:  
To: exim-users
Subject: Re: [exim] Dealing with Authenticated SMTP spam
On 28/05/2014 14:02, Jasen Betts wrote:
> On 2014-05-27, Paul Warren <pdw@???> wrote:
>> We're seeing a growing problem of spam being sent through our servers
>> using compromised authenticated SMTP credentials.

>> Does anyone have any suggestions for detecting and blocking, or at least
>> limiting the impact of, such attacks?
>
> You could start compiling a list of spamtrap domains. (but you'll only
> find them the hard way)

Can you elaborate on what you mean by this one?

>> We're currently considering rate-limiting, or trying to detect where a
>> single user is using multiple IPs in quick succession.
>
> Multi ips could be valid if they used the same creds for their laptop,
> phone, and document scanner. or if it's shared amongst a team.

True. Multiple IPs in quick succession (or even simultaneously) seem to
be a feature of the attacks that we've seen, but perhaps trying to block
based on this feature without false positives isn't feasible.

Paul


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] conditional routingRe: [exim] conditional routing->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)