Re: [exim] Spam though my server

Top Page
Delete this message
Reply to this message
Author: Sebastian Nielsen
Date:  
To: 'Niels Dettenbach'
CC: 'Odhiambo Washington', 'exim users'
Subject: Re: [exim] Spam though my server
The idea is not to build a 100% foolproof solution.
The idea is to limit the attack surface.

Lets say you have 3 users with really crappy passwords:

Username | Password | First login
Postmaster : retsamtsoP : USA
GoodUser : Password123 : Germany
AnotherUser : qwertyuiop : Denmark

Now lets say you implement my suggestion. A bot from china or russia will
never be able to crack those accounts, because the GeoIP will fail the
authentication, so even with correct username/password those accounts will
still say failed.
Even if they do a long shot and use a TOR node or VPN from USA, they will
still only have a chance against the Postmaster account, nothing else.

So you greatly limit the attack surface, since the attacker must "be" in the
same region as the attacked account to even have an chance to succeed.

That there is some false positives doesn't matter, because those people must
still have the real account name and password to succeed, and they must know
which accounts that are really geoIPt to that country.

If all users are in the same country, you simply geoIP in the firewall, and
then the port 587 will be closed and invisible for every hosts except from
the right country, so bots that are scanning large IP series will just skip
over your server.


-----Ursprungligt meddelande-----
Från: Exim-users <exim-users-bounces+sebastian=sebbe.eu@???> För Niels
Dettenbach via Exim-users
Skickat: den 19 februari 2019 20:00
Till: exim-users@???; Sebastian Nielsen <sebastian@???>
Kopia: 'Odhiambo Washington' <odhiambo@???>
Ämne: Re: [exim] Spam though my server

Am Dienstag, 19. Februar 2019, 15:57:07 CET schrieb Sebastian Nielsen via
Exim-users:
> Most better firewalls do have an built-in country/GeoIP database, if not,
> you can easily add one.

GeoIP is far from "reliable" for any SMTP/MTA, as there is no geolocation of

a IP address. It offers only a "probably in this country" info in context of
a
IP address (user). This means the amount of false positives in practice is
significant, except if users came from "known" AS networks or RIR
assignmenets
/ route info. So this may (!) help/work in small and/or very defined network

topologies.

I know the situation in germany is a bit different, as the internet topology
/
"market" is very "centralized" here, but even in germany many less kown IP
access products / services available get "geo-resolved" over other (usually
western) countries / regions by GeoIP (even the commercial version).

I know from many african and asian Mail Providers who use "US", "european"
or
"canadian" IPs for their service to get around "problems" with such Geo-
blocking solutions.

Proper geolocation of IPs is a "science by itself", but still far from
reliable. Many brute force attack attempts against our exim systems
(germany+luxembourg) are currently coming from france and germany today.

For smaller systems, solutions like fail2ban could help "far":
https://www.fail2ban.org/wiki/index.php/Exim

But even here: Be aware of possible "bad cases" where i.e. larger NAT
networks "use" the service and "sloppy" user clients generate false
positives.

Beside Exim functionality (see Exim DOS prevention - incl. resource
"reserve"
subsystem) firewall rules to slow out "to much" of new initiated sessions
within a time window could help. But brute force attackes are normal / usual

on larger SMTP services today - important is to make it difficult to prevent

any success of such attackes (even distributed ones) and "DOS effects" of
them
and similiar attackes.


good luck,


niels.


--
---
Niels Dettenbach
Syndicat IT & Internet
http://www.syndicat.com
PGP: https://syndicat.com/pub_key.asc
---








--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/