Re: [exim] identifying compromised accounts

Etusivu
Poista viesti
Vastaa
Lähettäjä: Lena
Päiväys:  
Vastaanottaja: exim-users
Aihe: Re: [exim] identifying compromised accounts
> From: Patrick von der Hagen

> I've been having issues with compromised accounts used to send spam via
> authenticated connections to my servers. Don't ask me how those people
> lost their passwords, but they did.
>
> I have ratelimiting in place to avoid the worst issues, but some people
> and systems really send tons of messages, so the limit is quite
> generous. Defining exceptions for specific senders isn't an option,
> since it would involve to much maintenance.
>
> Now I'm looking for ideas how to identify issues faster. One of them is
> to check for senders causing lots of bounces, which in my experience is
> a good indication for bad behavior.


> My worries:
> - the identification of bounces in the acl_not_smtp is certainly not perfect
> - the limits are just a guess
> - the bounce rate will drop again, so the lock-out by
> bounce_$sender_address isn't permanent


Permanent lock-out if bounce rate exceeded, separately for each user:
https://github.com/Exim/exim/wiki/BlockCracking
That code uses verify=recipient/callout instead of counting bounce messages.
If recipient verificaton fails then a bounce message will be sent.

> From: Jeremy Harris


> You can watch for rate of rejects, rather than bounces (please don't
> say you accept-then-bounce!)


For authenticated connections (to send outgoing messages from user's MUA)
accept-then-bounce is usual practice because many Windows MUA cannot
handle rejects.