Re: [exim] Looking for an example

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Sebastian Nielsen
Date:  
À: 'Mike Brudenell', exim-users
Nouveaux-sujets: [exim] Rate limiting and TOTP - was Re: Looking for an example
Sujet: Re: [exim] Looking for an example
Its just that such systems you describe only prevents further damage when
the damage is already done. It could be enough with like a few spam messages
to get blacklisted. So even if you ratelimit to like 10 messages per day,
you still risk ending up on blacklist if some account is compromised.

The best way as I said is to enforce sign in limits. Limit account to GeoIP,
limit account to ISP.
Require TOTP to reset IP limits.
Use TOTP for webmail login.
Only allow limitless logins from campus IPs.

This also, in turn helps protect accounts against compromise of the type
steal email account and then use it to reset the user's all other passwords.
Another thing that is important, if its an .edu the email belongs to - is
that *.edu have excemptions and access that not the general public have, for
example student discounts, free software, and so on, so in such ways I think
TOTP is a must.

TOTP is the easiest way to secure an account, but don't work over SMTP/IMAP,
instead it can only be used in webmail, thats why you need to use some IP
limitation for SMTP/IMAP where a TOTP login to the webmail also authorizes
the source IP to access SMTP/IMAP for the user in question.

Best regards, Sebastian Nielsen

-----Ursprungligt meddelande-----
Från: Mike Brudenell via Exim-users <exim-users@???>
Skickat: den 30 juni 2020 11:56
Till: Exim Users <exim-users@???>
Ämne: Re: [exim] Looking for an example

Prior to moving our main mail service to G Suite, we used Exim's *ratelimit*
to keep an eye on the rate of messages being sent by people who weren't on
our campus IP address range. Because they'd had to authenticate to Exim I
used the authenticating username as the key for the rate limiting.

When the rate started getting high over a suitable period it would start
freezing messages and logging warning lines that a separate process
monitoring the mainlog would then bleat to us about.

I can't remember off the top of my head what the rate thresholds were, but
it was something like 500 messages per 30 minutes. Our feeling was that
someone working away from site was unlikely to be sending that number of
messages that quickly unless they were a spammer. On-campus source IP
addresses were exempt as these might be, for example, database systems
sending out bulk emails to staff or students.

The combination of the freezing along with the mainlog monitoring process
(which blasted an alert email to a set of sysadmins) proved very helpful in
spotting compromised accounts. And in the event of a false positive the
frozen messages could then be released.

Cheers,
Mike B-)

On Mon, 29 Jun 2020 at 13:49, Mark Elkins via Exim-users <
exim-users@???> wrote:

> Hello group,
>
> I'm looking for an example for how to cure this problem.
>
> Every now and then, a user will give his password to a bad actor
> (Social Engineering). That bad person then goes to my webmail
> interface and sends out a lot of SPAM e-mail - which goes to my port
> 587 (only) Exim (version 4.94)..
>
> The mail server then gets black-listed :-(
>
> Of course - then everyone suffers.
>
> All my users details are in a MySQL Database. Ideally - I could change
> their status to "disabled" - but still need to handle the SPAM being
> sent out from their account details. Perhaps I'd lookup the
> "X-Originating-IP" and if there - not do a delivery?
>
> What are the "Best Practises" with handling this?
>
> An example of a "bad" email (the H file) might look like... (as
> untouched as possible)
>
> 1jX2Tv-00A32n-Ka-H
> mail 8 12
> <mothapom@???>
> 1588942319 2
> -received_time_usec .638108
> -helo_name webmail.vweb.co.za
> -host_address 2001:42a0::5.36176
> -interface_address 2001:42a0::71.587
> -received_protocol esmtps
> -body_linecount 48
> -max_received_linelength 74
> -frozen 1589015756
> -tls_cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
> -tls_sni relay.vweb.co.za
> -tls_ourcert -----BEGIN CERTIFICATE-----\nMIIGaTCCBVGgAwIBAgISAw6
> [Lots deleted] 4isptageh9BnUwAwJw==\n-----END CERTIFICATE-----\n YY
> wryer@??? YY wrongdoer@??? YY
> wristwatch@??? [20+ lines deleted] NN
> yards@??? NN yawn@???
> 50
> wrinkle@???
> wrinkling@???
> [20+ lines deleted]
> swarthy@???
> swathes@???
>
> 255P Received: from [2001:42a0::5] (port=36176 helo=webmail.vweb.co.za)
>          by relay.vweb.co.za with esmtps
> (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
>          (Exim 4.92.2)
>          (envelope-from <mothapom@???>)
>          id 1jX2Tv-00A32n-Ka; Fri, 08 May 2020 14:51:59 +0200
> 018  Mime-Version: 1.0
> 038  Date: Fri, 08 May 2020 12:52:10 +0000
> 087  Content-Type: multipart/alternative;
>   boundary="--=_RainLoop_183_170848428.1588942330"
> 026  X-Mailer: RainLoop/1.11.3
> 057F From: "Mrs. Agnes Adams" <mothapom@???> 068I 
> Message-ID: <f48e1f3d5cf34a6e7f03fe0d1b6487a8@???>
> 030R Reply-To: jm4065278@???
> 012  Subject: HI
> 034  X-Originating-IP: 197.220.169.156

>
> --
>
> Mark James ELKINS - Posix Systems - (South) Africa mje@???
> Tel: +27.826010496 <tel:+27826010496> For fast, reliable, low cost
> Internet in ZA: https://ftth.posix.co.za
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/ ## Please use the Wiki with
> this list - http://wiki.exim.org/
>



--
*My normal working days are Tuesdays, Wednesdays and Thursdays.*

Systems Administrator working in Teaching & Learning IT Services, University
of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/