Re: [exim] Dealing with Authenticated SMTP spam

On 2012-11-30, Paul Warren <pdw@???> wrote:
> On 28/05/2014 14:02, Jasen Betts wrote:
>> On 2014-05-27, Paul Warren <pdw@???> wrote:
>>> We're seeing a growing problem of spam being sent through our servers
>>> using compromised authenticated SMTP credentials.
>
>>> Does anyone have any suggestions for detecting and blocking, or at least
>>> limiting the impact of, such attacks?
>>
>> You could start compiling a list of spamtrap domains. (but you'll only
>> find them the hard way)
>
> Can you elaborate on what you mean by this one?

eg: (note: all the names are made up)

suppose you get listed on bl.example.com, you find the first message
in the logs announcing that and then look at the previos deliveies to
try to find the one that triggered it, (or sometimes the URL in the
denial message will give you enough info)

suppose you find a message to support@??? and
investigate the mx ans discover that it announces itself as a spamtrap,

that's a fiarly strong indication that there are no usefule email
addresses on that domain. so you block that domain (or that mx, or the
ip address of that mx) and organise something to stop anyone who tries
to send to it from sending any more email.

I do this in a no-verify router so that I don't leak the names of the
spamtraps

--
umop apisdn