Loading ...
Sorry, an error occurred while loading the content.

STOPPING SPAM FROM COMPROMISED ACCOUNTS.

Expand Messages
  • Homer Wilson Smith
    I have an outgoing-only mail server for our customers called smtp.lightlink.com. It only allows relaying from local IP s, and known virtual domains if remote
    Message 1 of 5 , Sep 21, 2013
    • 0 Attachment
      I have an outgoing-only mail server for our customers called
      smtp.lightlink.com. It only allows relaying from local IP's,
      and known virtual domains if remote users wish to use it.

      We were fine when we were running pop before smtp authentication, but
      I was forced to also allow SASL authentication.

      More and more people are having their passwords compromised, I have no
      idea how it happens, one person had it compromised twice in one day after
      I changed it the first time.

      There are no false tries on the user account, until the spam starts
      coming in with the correct password, then its 64,000 pieces of mail
      forever and ever until I stop it.

      So one, how are passwords being compromised with out brute force
      attacks showing up on the server?

      What do I do to catch this in the bud?

      1.) I have a barracuda which I could use as a smart out-going host
      from smtp.lightlink.com.

      It will quarantine and rate limit, but it won't tell me what's going
      on unless I look, it won't stop the spam, and it blocks and can not handle
      those that wish to send large mailings legitmately through
      smtp.lightlink.com. It just clogs up and slows WAY down. Besides I hate
      barracuda.

      3.) Are there ways in postfix to detect the abuse, and close
      the account? Or what? White papers? Pointers to RTFM?

      4.) Perl, write my own perl code and count the SASL's coming in and
      lock the account when it does something stupid?

      It's happening about once or twice a month now and our mail
      server usually gets blacklisted every time it does.

      Thanks in advance,

      Homer W Smith
      CEO Lightlink, aka still a stupid newbie after 20 years...

      ------------------------------------------------------------------------
      Homer Wilson Smith Clean Air, Clear Water, Art Matrix - Lightlink
      (607) 277-0959 A Green Earth, and Peace, Internet, Ithaca NY
      homer@... Is that too much to ask? http://www.lightlink.com
    • azurIt
      ... Hi Homer, we are, somethimes, having similar troubles and we find out that compromised accounts are usually owned by fools who are sending their login and
      Message 2 of 5 , Sep 21, 2013
      • 0 Attachment
        >I have an outgoing-only mail server for our customers called
        >smtp.lightlink.com. It only allows relaying from local IP's,
        >and known virtual domains if remote users wish to use it.
        >
        > We were fine when we were running pop before smtp authentication, but
        >I was forced to also allow SASL authentication.
        >
        > More and more people are having their passwords compromised, I have no
        >idea how it happens, one person had it compromised twice in one day after
        >I changed it the first time.
        >
        > There are no false tries on the user account, until the spam starts
        >coming in with the correct password, then its 64,000 pieces of mail
        >forever and ever until I stop it.
        >
        > So one, how are passwords being compromised with out brute force
        >attacks showing up on the server?
        >
        > What do I do to catch this in the bud?
        >
        > 1.) I have a barracuda which I could use as a smart out-going host
        >from smtp.lightlink.com.
        >
        > It will quarantine and rate limit, but it won't tell me what's going
        >on unless I look, it won't stop the spam, and it blocks and can not handle
        >those that wish to send large mailings legitmately through
        >smtp.lightlink.com. It just clogs up and slows WAY down. Besides I hate
        >barracuda.
        >
        > 3.) Are there ways in postfix to detect the abuse, and close
        >the account? Or what? White papers? Pointers to RTFM?
        >
        > 4.) Perl, write my own perl code and count the SASL's coming in and
        >lock the account when it does something stupid?
        >
        > It's happening about once or twice a month now and our mail
        >server usually gets blacklisted every time it does.



        Hi Homer,

        we are, somethimes, having similar troubles and we find out that compromised accounts are usually owned by fools who are sending their login and password directly to spammers - you have must seen that stupid e-mails which are asking your login information on behalf of 'your administrator'. And yes, there really are people who really sends their login information :) i was shocked when i saw this for the first time in our enviroment.

        You can do several things to stop spam to be send by your server:
        1.) Implement rate limits (for example, 100 messages per 10 minutes).
        2.) Allow only login from your country by default (use geoip for this).
        3.) Allow only correct sender addresses - for example, if someone logs in as user@..., allow him to send messages only from user@... or domain @... or so. This will really help you to track and block problematic users.

        azur
      • Wietse Venema
        ... Use postfwd (www.postfdw.org) or the like to rate-limit mail clients. ... They compromise the mail client host and steal login credentials, or they phish
        Message 3 of 5 , Sep 21, 2013
        • 0 Attachment
          Homer Wilson Smith:
          >
          > I have an outgoing-only mail server for our customers called
          > smtp.lightlink.com. It only allows relaying from local IP's,
          > and known virtual domains if remote users wish to use it.
          >
          > We were fine when we were running pop before smtp authentication, but
          > I was forced to also allow SASL authentication.
          >
          > More and more people are having their passwords compromised, I have no
          > idea how it happens, one person had it compromised twice in one day after
          > I changed it the first time.
          >
          > There are no false tries on the user account, until the spam starts
          > coming in with the correct password, then its 64,000 pieces of mail
          > forever and ever until I stop it.

          Use postfwd (www.postfdw.org) or the like to rate-limit mail clients.

          > So one, how are passwords being compromised with out brute force
          > attacks showing up on the server?

          They compromise the mail client host and steal login credentials,
          or they phish the user, and make them give their login credentials
          to a rogue server.

          Wietse
        • John Hinton
          ... I have had a few clients over the last few months that apparently had a key tracker virus on their systems. Same problem. Password stolen. Reset
          Message 4 of 5 , Sep 22, 2013
          • 0 Attachment
            On 9/21/2013 7:10 PM, Homer Wilson Smith wrote:
            >
            > I have an outgoing-only mail server for our customers called
            > smtp.lightlink.com. It only allows relaying from local IP's,
            > and known virtual domains if remote users wish to use it.
            >
            > We were fine when we were running pop before smtp authentication,
            > but I was forced to also allow SASL authentication.
            >
            > More and more people are having their passwords compromised, I
            > have no idea how it happens, one person had it compromised twice in
            > one day after I changed it the first time.
            >
            > There are no false tries on the user account, until the spam
            > starts coming in with the correct password, then its 64,000 pieces of
            > mail forever and ever until I stop it.
            >
            > So one, how are passwords being compromised with out brute force
            > attacks showing up on the server?
            >
            >
            I have had a few clients over the last few months that apparently had a
            key tracker virus on their systems. Same problem. Password stolen. Reset
            password... password stolen again in just a few hours. Customers removed
            viruses from computer. Problem stopped.

            --
            John Hinton
            877-777-1407 ext 502
            http://www.ew3d.com
            Comprehensive Online Solutions
          • LuKreme
            ... tyop, the url is http://www.postfwd.org (yes, it took me two tries to figure out what was wrong with it) -- Queen Isabella and King Ferdinand kicked
            Message 5 of 5 , Sep 23, 2013
            • 0 Attachment
              On 21 Sep 2013, at 18:48 , Wietse Venema <wietse@...> wrote:
              > Use postfwd (www.postfdw.org) or the like to rate-limit mail clients.

              tyop, the url is http://www.postfwd.org

              (yes, it took me two tries to figure out what was wrong with it)

              --
              "Queen Isabella and King Ferdinand kicked 200,000 Jews out of Spain, one
              of the first acts of the Spanish Inquisition, which no one ever expects
              " -- John Carroll's 21st Annual Xmas Quiz answers
            Your message has been successfully submitted and would be delivered to recipients shortly.