Best way here would be to set up some sort of IP limitation to limit the
attack Surface.
If all of your users belong to the same country, I would suggest firewalling
or restricting the 587 server via GeoIP so it can only be accessed from that
particular country.
Most better firewalls do have an built-in country/GeoIP database, if not,
you can easily add one.
Would also suggest doing that to IMAP and POP3 server for extra security.
You can also use auth_advertise_hosts to further lock down authentication to
specific IPs ranges only.
If all your users belong to a specific location or ISP, you could even
restrict it even further.
If all your users belong to different countries, I would suggest detecting
which country is used during signup/payment/enrollment/first login, and then
geoIP-locking the account to that particular country, so any logins except
for that country will not work. This then needs to be saved per-user-wise.
An easier solution if you don't want to lock to GeoIP, is to lock to the /16
or /24 that the user is doing his signup/payment/enrollment/first login
from.
To do this, you rewrite your authenticator settings, so it looks up the
users IP via GeoIP, or just picks parts of the IP, and then submit it as
part of the username or password.
In the username/password database you then have the same rewritement, so if
a user tries to login from an unauthorized location, it will fail the login
like the account didn't exist or password was invalid.
This should cut down on bots cracking password pretty much. I have had the
same problem, got my email password cracked all the time.
An simple auth_advertise_hosts with only my IPs in it, pretty much set a
hard stop for those bot attacks. The bot attacks still fill up the logs
("AUTH command used when not advertised"), but they can't come through as
their IP is unauthorized.
Best regards, Sebastian Nielsen.
Den tis 19 feb. 2019 kl 11:51 skrev Odhiambo Washington via Exim-users
<exim-users@???>:
>
> On Tue, 19 Feb 2019 at 13:33, Heiko Schlittermann via Exim-users <
> exim-users@???> wrote:
>
> > Odhiambo Washington via Exim-users <exim-users@???> (Di 19 Feb 2019
> > 11:20:07 CET):
> > > I am seeing some spam going through my server, but I am not sure what
> > > method is being used by the spammer:
> > >
> > > exim -Mvh 1gw0Ng-0002NF-1H
> > > 1gw0Ng-0002NF-1H-H
> > > mailnull 26 26
> > > <malamala@???>
> > > 1550563436 0
> > > -received_time_usec .039642
> > > -helo_name [192.6.3.50]
> > > -host_address 74.142.119.226.1591
> > > -host_name rrcs-74-142-119-226.central.biz.rr.com
> > > -host_auth plain
> > > -interface_address 192.168.55.254.587
> > > -active_hostname gw.crownkenya.com
> > > -received_protocol esmtpsa
> >
> > Looks like successful authentication. So he/she/it is using account
> > data, I'd say.
> >
> > > -auth_id malamala@???
> >
> > This is the string, that was set by the authenticator.
> > It may help you to track down the account, that was abused.
> >
> > > 301P Received: from rrcs-74-142-119-226.central.biz.rr.com
> > > ([74.142.119.226] helo=[192.6.3.50])
> > > by gw.crownkenya.com with esmtpsa
> > > (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
> > > (Exim 4.92)
> > > (envelope-from <malamala@???>)
> > > id 1gw0Ng-0002NF-1H
> > > for sklep@???; Tue, 19 Feb 2019 11:03:56 +0300
> >
> > The envelope from matches the account-id, depenending on your
> > configuration it is another indicator of the "hacked" account.
> >
>
> I thought so too.
> How they end up hacking this account is something of a mystery now. This
is
> the second time in as many months.
>
> Thank you.
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft.", grep ^[^#] :-)
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
