Re: [exim] Better way to deal with phished users?

The problem is that passwords are insecure. Its much better to lock accounts to countries or even
individual ISPs, offices or IPs.
SMTP and IMAP doesn't have good support for OTP and other secure authentication methods, so a good
idea is to "enhance" the security by locking accounts to countries.
If users travel, they have to contact customer support.

If you COULD force the end users to always use webmail, you can add TOTP to that and make things
like 100x more secure.
Another way to increase security is to add the latest IP of the latest webmail login (with TOTP) to
database, and if users want to use imap/smtp, everytime they change country or ISP or ASN or
similar, they have to login to webmail once to "reenable access".

Try to come up with something like that, because passwords are horribly insecure, and its not many
clients that support for example client certificates.

-----Ursprungligt meddelande-----
Från: Niels Dettenbach via Exim-users <exim-users@???>
Skickat: den 5 juli 2021 13:17
Till: Niels Kobschätzki <niels@???>
Kopia: exim-users@???
Ämne: Re: [exim] Better way to deal with phished users?

Am Montag, 5. Juli 2021, 09:04:16 CEST schrieb Niels Kobschätzki:
> On 5 Jul 2021, at 7:54, Niels Dettenbach via Exim-users wrote:
> Phished users are users from my mail system which are proven regular users
> who have their accounts for years and whose credentials got compromised
> and are now suddenly used for sending spam- or phishing mails from my mail
> system to other systems (and in that special case they are using the
> Webmail-interface to send out mails and thus they really look like normal
> users from the point of view of the mailing system).
>
> Thus I want to prevent sending out spam/scam mails from my system to others
> (yes I already have diverse counter-measures in place but for the kind
> mentioned above they all Gail and I have to intervene manually)
ouch,

ok.

>From my view, the primary way is to force the users to set new credentials
(if you really mean access credentials - like passwords). As a network /
email operator on the internet, by "netiquette" it is your responsibility to
minimize / block abusive traffic from your systems.

At least some countries have regulations by law forcing you to do this (at
least if you "get aware of").

Until that you may strongly ratelimit or block such users (if you could
identify them and if it is possible with your contracts / policies) to avoid
harm to others and (not at least) your own email system (reputation etc.).


best regards,


niels.
--
---
Niels Dettenbach
Syndicat IT & Internet
https://www.syndicat.com
PGP: https://syndicat.com/pub_key.asc
---








--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/