Autor: Paul Warren Fecha: A: exim-users Asunto: Re: [exim] Dealing with Authenticated SMTP spam
On 28/05/2014 14:02, Jasen Betts wrote: > On 2014-05-27, Paul Warren <pdw@???> wrote:
>> We're seeing a growing problem of spam being sent through our servers
>> using compromised authenticated SMTP credentials. >> Does anyone have any suggestions for detecting and blocking, or at least
>> limiting the impact of, such attacks?
>
> You could start compiling a list of spamtrap domains. (but you'll only
> find them the hard way)
Can you elaborate on what you mean by this one?
>> We're currently considering rate-limiting, or trying to detect where a
>> single user is using multiple IPs in quick succession.
>
> Multi ips could be valid if they used the same creds for their laptop,
> phone, and document scanner. or if it's shared amongst a team.
True. Multiple IPs in quick succession (or even simultaneously) seem to
be a feature of the attacks that we've seen, but perhaps trying to block
based on this feature without false positives isn't feasible.