On Fri, Nov 7, 2014 at 11:13 AM, Patrick von der Hagen
<patrick.hagen@???> wrote:
> Hi all,
>
> I've been having issues with compromised accounts used to send spam via
> authenticated connections to my servers. Don't ask me how those people
> lost their passwords, but they did.
> Now I'm looking for ideas how to identify issues faster. One of them is
I classify compromised accounts in two ways:
1) Customer clicked something and spam cannon is now running on his computer
2) Customer's user/pass got obtained by something and distributed to a
botnet, which has bot clients all over the world using that account
through your mail servers.
Your solution addresses the first scenario.
One thing you can do to address and identify the second scenario is
track how many different IP addresses a single account connects from
to send email using SMTP Auth. A clear sign is when an account that
normally connects from about 3 or 4 unique /24's (phone on cellular
network, phone/laptop on wifi at home, phone/laptop on wifi at work,
laptop from coffee shop, for example). You also have to take into
account (the script below does not really) that some mobile systems
are older, and periods of inactivity result in the IP lease expiring.
Then the next time the phone connects using cellular data to check
mail, it gets a new IP, usually very close to the last one it had.
This is when tracking things per /24 would be most useful to prevent
false positives.
Start with something like this that will scan the exim logs looking
for connections that have been connected to from many more than some
limit you set. Then you can block them if you choose by changing the
password of the compromised account, and have someone contact them
out-of-band.
http://downloads.mrball.net/Linux/Exim/detect_hacked_smtp_auth_conns.pl
I really should put that up on github, I guess. One day, just not right now.
...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine