I run a "relay" server for my e-mail clients - so they can send out
e-mail from any network they are connected to (so useful for travelling
laptops). This machine runs only on port 587, uses authentication (same
password as for their POP3/IMAP account) - etc etc.
Some nefarious people are continuously trying to discover valid username
and password combos. Once they do - they flood that account with SPAM.
Much bounces back to my clients - whom after a few days tell me (delayed
due to embarrassment?) Often, these "scans" are being done in what looks
like quite a random way, from multiple IP addresses and reasonably
infrequently - say once a minute.
What can you do? Not everyone uses my relay - so I have a flag that
needs to be first switched on for the relay authentication to work. I
also insist that passwords are reasonably long and not based on the
username. I build a list every few months and check it. I guess the next
step is to insist the password is changed periodically.
Lastly, users often use the same password for multiple purposes and
every now and then, there is a mass breach at some company. These
nefarious people use that info to also break into my mail servers.
Lastly, my customers are human and may be duped into giving out their
password with social engineering. All these are good reasons for forcing
periodical password changes.
I also scan for undelivered e-mail on the relay server - a sure sign
something is broken.
I should probably have some EXIM scripts that count repetitive failures,
both at login authentication and delivery (failure) by a user, and use
that to do automatic blocking and reporting. Lena probably has a
solution for that.
:One would need to collect a time, IP address and user for these
failures. Blocking just IP addresses may not be enough.
On 2019/02/19 12:38, Odhiambo Washington via Exim-users wrote:
> On Tue, 19 Feb 2019 at 13:33, Heiko Schlittermann via Exim-users <
> exim-users@???> wrote:
>
>> Odhiambo Washington via Exim-users <exim-users@???> (Di 19 Feb 2019
>> 11:20:07 CET):
>>> I am seeing some spam going through my server, but I am not sure what
>>> method is being used by the spammer:
>>>
>>> Looks like successful authentication. So he/she/it is using account
>>> data, I'd say.
>>>
>>> -auth_id malamala@???
>> This is the string, that was set by the authenticator.
>> It may help you to track down the account, that was abused.
>>
>>> 301P Received: from rrcs-74-142-119-226.central.biz.rr.com
>>> ([74.142.119.226] helo=[192.6.3.50])
>>> by gw.crownkenya.com with esmtpsa
>>> (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
>>> (Exim 4.92)
>>> (envelope-from <malamala@???>)
>>> id 1gw0Ng-0002NF-1H
>>> for sklep@???; Tue, 19 Feb 2019 11:03:56 +0300
>> The envelope from matches the account-id, depenending on your
>> configuration it is another indicator of the "hacked" account.
>>
> I thought so too.
> How they end up hacking this account is something of a mystery now. This is
> the second time in as many months.
>
> Thank you.
>
>
--
Mark James ELKINS - Posix Systems - (South) Africa
mje@??? Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
