Autore: Jethro R Binks Data: To: exim-users Oggetto: Re: [exim] Spam though my server
On Tue, 19 Feb 2019, Mark Elkins via Exim-users wrote:
> I run a "relay" server for my e-mail clients - so they can send out
> e-mail from any network they are connected to (so useful for travelling
> laptops). This machine runs only on port 587, uses authentication (same
> password as for their POP3/IMAP account) - etc etc.
>
> Some nefarious people are continuously trying to discover valid username
> and password combos. Once they do - they flood that account with SPAM.
> Much bounces back to my clients - whom after a few days tell me (delayed
> due to embarrassment?) Often, these "scans" are being done in what looks
> like quite a random way, from multiple IP addresses and reasonably
> infrequently - say once a minute.
Here's something else you might like to look into.
When we see accounts get compromised, we often see a few "test mails" get
sent out to some known addresses to test the viability of the account.
In our case, we've set it up so that messages to these addresses get
frozen on the mail queue, so the nefarious people don't get those
messages. That doesn't necessarily stop them using the compromised
account, but can flag an early warning to us. You might monitor your
logfiles or whatever, perhaps arranging to freeze all mail from any
account that sends to one of the probe addresses.
So for your next accounts that get compromised, try looking at the regular
mail flow and see if you can pick out the probe addresses at the start of
the use after compromise. They are sometimes quite obvious, usually
hotmail/yahoo/gmail, and often with strings like 'zz' and 'test' in them,
but often they are just regular other compromised accounts and trickier to
spot.
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK
The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.