Loading ...
Sorry, an error occurred while loading the content.

Spam protection by auto-blocking suspicious accounts

Expand Messages
  • Roland Plüss
    A couple of days ago my mail server got attacked by a spammer. As it looks like he managed to compromise the password of one of the users on the system and
    Message 1 of 14 , Jan 6, 2014
    • 0 Attachment
      A couple of days ago my mail server got attacked by a spammer. As it
      looks like he managed to compromise the password of one of the users on
      the system and SASL authenticated using the account to send spam. I
      blocked the attacking IP and changed the password of the affected user.
      Still the spammer managed to send out quite a lot of mails because due
      to permit_sasl_authenticated letting him pass by. Now to deal with this
      situation in the future I would like to automatically lock down an
      account if an unusual amount of mails are sent like 60 per minute or so.
      I could though not figure out if postfix is able to do this or how to
      get this done. Any ideas?

      --
      Yours sincerely
      Plüss Roland
    • lists@rhsoft.net
      ... anvil_rate_time_unit = 1800s smtpd_client_connection_rate_limit = 50 smtpd_client_recipient_rate_limit = 400 smtpd_recipient_limit
      Message 2 of 14 , Jan 6, 2014
      • 0 Attachment
        Am 06.01.2014 16:12, schrieb Roland Plüss:
        > A couple of days ago my mail server got attacked by a spammer. As it
        > looks like he managed to compromise the password of one of the users on
        > the system and SASL authenticated using the account to send spam. I
        > blocked the attacking IP and changed the password of the affected user.
        > Still the spammer managed to send out quite a lot of mails because due
        > to permit_sasl_authenticated letting him pass by. Now to deal with this
        > situation in the future I would like to automatically lock down an
        > account if an unusual amount of mails are sent like 60 per minute or so.
        > I could though not figure out if postfix is able to do this or how to
        > get this done. Any ideas?

        anvil_rate_time_unit = 1800s
        smtpd_client_connection_rate_limit = 50
        smtpd_client_recipient_rate_limit = 400
        smtpd_recipient_limit = 100

        this way at least not more than 400 messages from the same IP
        can be sent within 30 minutes, independent of how many connections
        while these are limited to 50 and a single message must not have
        more than 100 CRPT
      • Robert Schetterer
        ... Hash: SHA1 ... you need an anomaly checker, so first you need to have some db with multi info about normal behave of accounts, if unnormal behave is
        Message 3 of 14 , Jan 6, 2014
        • 0 Attachment
          -----BEGIN PGP SIGNED MESSAGE-----
          Hash: SHA1

          Am 06.01.2014 16:12, schrieb Roland Plüss:
          > Now to deal with this situation in the future I would like to
          > automatically lock down an account if an unusual amount of mails
          > are sent like 60 per minute or so.

          you need an anomaly checker, so first you need to have some db with
          multi info about "normal behave" of accounts, if "unnormal" behave is
          detected then you could do "something", simple example ,you know
          account is only used at "office" time, disable the accout if it tries
          to send at other times etc.
          Not an easy job to code, meanwhile do some amount monitoring and
          alarming out of syslog info , but i would create warnings for human
          inspection, and dont use auto mechs

          other way ,use policy servers with some outbound mail limit control,
          but this also might high support, cause some account wants to send
          mass mail some day




          Best Regards
          MfG Robert Schetterer

          - --
          [*] sys4 AG

          http://sys4.de, +49 (89) 30 90 46 64
          Franziskanerstraße 15, 81669 München

          Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
          Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
          Aufsichtsratsvorsitzender: Florian Kirstein
          -----BEGIN PGP SIGNATURE-----
          Version: GnuPG v1.4.11 (GNU/Linux)
          Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

          iQEcBAEBAgAGBQJSyssbAAoJEP8jBObu0LlEqE8IALAVzYdCiHRVTp01d/mnbGYF
          Hxj2dXyTQJOcXvOxVmXF1YPFtg/TjZdWkWfwagSr842vZAzSYXMqZzV10v8U3yJG
          5VkimfwK0GxjYiUEahIBQlwm6tuCnb3CTjSATxIYl1uJopedkokspj9k2ongEFpu
          XLXmwF36N30CWXccaLY+bBhOlc5BespIBDl+Oo+wMSG+j0ZUAy3afE9mNw8QtX0M
          d6J6r/wwd1AD6y+LsW1uFWx28gbhInNZ+4vW6ZOwAYSi7JRfr5s2Sp6yZisznbJe
          8bWV9Qdwd+GZRNigkhHh/JySegMyIT+ejJTPHfWJz1oqft6RQyOzEjROwd1Un+g=
          =qWKJ
          -----END PGP SIGNATURE-----
        • Robert Schetterer
          ... yeah, but some spambots simple will fire again, so it might not fix the problem, it may only limiting impacts Best Regards MfG Robert Schetterer -- [*]
          Message 4 of 14 , Jan 6, 2014
          • 0 Attachment
            Am 06.01.2014 16:24, schrieb lists@...:
            > Am 06.01.2014 16:12, schrieb Roland Plüss:
            >> A couple of days ago my mail server got attacked by a spammer. As it
            >> looks like he managed to compromise the password of one of the users on
            >> the system and SASL authenticated using the account to send spam. I
            >> blocked the attacking IP and changed the password of the affected user.
            >> Still the spammer managed to send out quite a lot of mails because due
            >> to permit_sasl_authenticated letting him pass by. Now to deal with this
            >> situation in the future I would like to automatically lock down an
            >> account if an unusual amount of mails are sent like 60 per minute or so.
            >> I could though not figure out if postfix is able to do this or how to
            >> get this done. Any ideas?
            >
            > anvil_rate_time_unit = 1800s
            > smtpd_client_connection_rate_limit = 50
            > smtpd_client_recipient_rate_limit = 400
            > smtpd_recipient_limit = 100
            >
            > this way at least not more than 400 messages from the same IP
            > can be sent within 30 minutes, independent of how many connections
            > while these are limited to 50 and a single message must not have
            > more than 100 CRPT
            >

            yeah, but some spambots simple will fire again, so it might not fix the
            problem, it may only limiting impacts


            Best Regards
            MfG Robert Schetterer

            --
            [*] sys4 AG

            http://sys4.de, +49 (89) 30 90 46 64
            Franziskanerstraße 15, 81669 München

            Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
            Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
            Aufsichtsratsvorsitzender: Florian Kirstein
          • lists@rhsoft.net
            ... correct, the problem itself can only be fixed manually in any case but the difference between 400 or 400000 messages by one spambot makes the difference
            Message 5 of 14 , Jan 6, 2014
            • 0 Attachment
              Am 06.01.2014 16:29, schrieb Robert Schetterer:
              > Am 06.01.2014 16:24, schrieb lists@...:
              >> Am 06.01.2014 16:12, schrieb Roland Plüss:
              >>> A couple of days ago my mail server got attacked by a spammer. As it
              >>> looks like he managed to compromise the password of one of the users on
              >>> the system and SASL authenticated using the account to send spam. I
              >>> blocked the attacking IP and changed the password of the affected user.
              >>> Still the spammer managed to send out quite a lot of mails because due
              >>> to permit_sasl_authenticated letting him pass by. Now to deal with this
              >>> situation in the future I would like to automatically lock down an
              >>> account if an unusual amount of mails are sent like 60 per minute or so.
              >>> I could though not figure out if postfix is able to do this or how to
              >>> get this done. Any ideas?
              >>
              >> anvil_rate_time_unit = 1800s
              >> smtpd_client_connection_rate_limit = 50
              >> smtpd_client_recipient_rate_limit = 400
              >> smtpd_recipient_limit = 100
              >>
              >> this way at least not more than 400 messages from the same IP
              >> can be sent within 30 minutes, independent of how many connections
              >> while these are limited to 50 and a single message must not have
              >> more than 100 CRPT
              >
              > yeah, but some spambots simple will fire again, so it might not fix the
              > problem, it may only limiting impacts

              correct, the problem itself can only be fixed manually in any case
              but the difference between 400 or 400000 messages by one spambot
              makes the difference get blacklisted everywhere or not :-)
            • Robert Schetterer
              ... you may blacklisted by only one spammail somewhere but using anvil limiting is always a good idea !!! Best Regards MfG Robert Schetterer -- [*] sys4 AG
              Message 6 of 14 , Jan 6, 2014
              • 0 Attachment
                Am 06.01.2014 16:32, schrieb lists@...:
                > correct, the problem itself can only be fixed manually in any case
                > but the difference between 400 or 400000 messages by one spambot
                > makes the difference get blacklisted everywhere or not :-)

                you may blacklisted by only "one" spammail somewhere

                but using anvil limiting is always a good idea !!!


                Best Regards
                MfG Robert Schetterer

                --
                [*] sys4 AG

                http://sys4.de, +49 (89) 30 90 46 64
                Franziskanerstraße 15, 81669 München

                Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                Aufsichtsratsvorsitzender: Florian Kirstein
              • Roland Plüss
                ... Sounds like a plan. It s enough for me to reduce the potential impact of a compromised account. That spam attack got me some blacklist trouble with
                Message 7 of 14 , Jan 6, 2014
                • 0 Attachment
                  On 01/06/2014 04:32 PM, lists@... wrote:
                  >
                  > Am 06.01.2014 16:29, schrieb Robert Schetterer:
                  >> Am 06.01.2014 16:24, schrieb lists@...:
                  >>> Am 06.01.2014 16:12, schrieb Roland Plüss:
                  >>>> A couple of days ago my mail server got attacked by a spammer. As it
                  >>>> looks like he managed to compromise the password of one of the users on
                  >>>> the system and SASL authenticated using the account to send spam. I
                  >>>> blocked the attacking IP and changed the password of the affected user.
                  >>>> Still the spammer managed to send out quite a lot of mails because due
                  >>>> to permit_sasl_authenticated letting him pass by. Now to deal with this
                  >>>> situation in the future I would like to automatically lock down an
                  >>>> account if an unusual amount of mails are sent like 60 per minute or so.
                  >>>> I could though not figure out if postfix is able to do this or how to
                  >>>> get this done. Any ideas?
                  >>> anvil_rate_time_unit = 1800s
                  >>> smtpd_client_connection_rate_limit = 50
                  >>> smtpd_client_recipient_rate_limit = 400
                  >>> smtpd_recipient_limit = 100
                  >>>
                  >>> this way at least not more than 400 messages from the same IP
                  >>> can be sent within 30 minutes, independent of how many connections
                  >>> while these are limited to 50 and a single message must not have
                  >>> more than 100 CRPT
                  >> yeah, but some spambots simple will fire again, so it might not fix the
                  >> problem, it may only limiting impacts
                  > correct, the problem itself can only be fixed manually in any case
                  > but the difference between 400 or 400000 messages by one spambot
                  > makes the difference get blacklisted everywhere or not :-)
                  Sounds like a plan. It's enough for me to reduce the potential impact of
                  a compromised account. That spam attack got me some blacklist trouble
                  with barracuda but I got delisted quickly. I've got a daily pflogsumm
                  telling me already if something goes out of hand but in a day one can
                  spam a lot.

                  I put in now a limit of 100 mails per 30 minutes which is enough for the
                  current user base. Thanks for the tip.

                  --
                  Yours sincerely
                  Plüss Roland
                • Roland Plüss
                  ... Follow question. How is the block working? Is it permanent or temporary? If permanent how can I remove the block after changing the password? -- Yours
                  Message 8 of 14 , Jan 6, 2014
                  • 0 Attachment
                    On 01/06/2014 04:32 PM, lists@... wrote:
                    >
                    > Am 06.01.2014 16:29, schrieb Robert Schetterer:
                    >> Am 06.01.2014 16:24, schrieb lists@...:
                    >>> Am 06.01.2014 16:12, schrieb Roland Plüss:
                    >>>> A couple of days ago my mail server got attacked by a spammer. As it
                    >>>> looks like he managed to compromise the password of one of the users on
                    >>>> the system and SASL authenticated using the account to send spam. I
                    >>>> blocked the attacking IP and changed the password of the affected user.
                    >>>> Still the spammer managed to send out quite a lot of mails because due
                    >>>> to permit_sasl_authenticated letting him pass by. Now to deal with this
                    >>>> situation in the future I would like to automatically lock down an
                    >>>> account if an unusual amount of mails are sent like 60 per minute or so.
                    >>>> I could though not figure out if postfix is able to do this or how to
                    >>>> get this done. Any ideas?
                    >>> anvil_rate_time_unit = 1800s
                    >>> smtpd_client_connection_rate_limit = 50
                    >>> smtpd_client_recipient_rate_limit = 400
                    >>> smtpd_recipient_limit = 100
                    >>>
                    >>> this way at least not more than 400 messages from the same IP
                    >>> can be sent within 30 minutes, independent of how many connections
                    >>> while these are limited to 50 and a single message must not have
                    >>> more than 100 CRPT
                    >> yeah, but some spambots simple will fire again, so it might not fix the
                    >> problem, it may only limiting impacts
                    > correct, the problem itself can only be fixed manually in any case
                    > but the difference between 400 or 400000 messages by one spambot
                    > makes the difference get blacklisted everywhere or not :-)
                    Follow question. How is the block working? Is it permanent or temporary?
                    If permanent how can I remove the block after changing the password?

                    --
                    Yours sincerely
                    Plüss Roland

                    Leader and Head Programmer
                    - Game: Epsylon ( http://www.indiedb.com/games/epsylon )
                    - Game Engine: Drag[en]gine ( http://www.indiedb.com/engines/dragengine
                    , http://dragengine.rptd.ch/wiki )
                    - Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )
                    - As well as various Blender export scripts und game tools
                  • lists@rhsoft.net
                    ... temporary - until the client IP is below the limits it can send again if you send 400 messages you need to wait at least 30 minutes for the next
                    Message 9 of 14 , Jan 6, 2014
                    • 0 Attachment
                      Am 06.01.2014 16:43, schrieb Roland Plüss:
                      >
                      > On 01/06/2014 04:32 PM, lists@... wrote:
                      >>
                      >> Am 06.01.2014 16:29, schrieb Robert Schetterer:
                      >>> Am 06.01.2014 16:24, schrieb lists@...:
                      >>>> Am 06.01.2014 16:12, schrieb Roland Plüss:
                      >>>>> A couple of days ago my mail server got attacked by a spammer. As it
                      >>>>> looks like he managed to compromise the password of one of the users on
                      >>>>> the system and SASL authenticated using the account to send spam. I
                      >>>>> blocked the attacking IP and changed the password of the affected user.
                      >>>>> Still the spammer managed to send out quite a lot of mails because due
                      >>>>> to permit_sasl_authenticated letting him pass by. Now to deal with this
                      >>>>> situation in the future I would like to automatically lock down an
                      >>>>> account if an unusual amount of mails are sent like 60 per minute or so.
                      >>>>> I could though not figure out if postfix is able to do this or how to
                      >>>>> get this done. Any ideas?
                      >>>> anvil_rate_time_unit = 1800s
                      >>>> smtpd_client_connection_rate_limit = 50
                      >>>> smtpd_client_recipient_rate_limit = 400
                      >>>> smtpd_recipient_limit = 100
                      >>>>
                      >>>> this way at least not more than 400 messages from the same IP
                      >>>> can be sent within 30 minutes, independent of how many connections
                      >>>> while these are limited to 50 and a single message must not have
                      >>>> more than 100 CRPT
                      >>> yeah, but some spambots simple will fire again, so it might not fix the
                      >>> problem, it may only limiting impacts
                      >> correct, the problem itself can only be fixed manually in any case
                      >> but the difference between 400 or 400000 messages by one spambot
                      >> makes the difference get blacklisted everywhere or not :-)
                      > Follow question. How is the block working? Is it permanent or temporary?
                      > If permanent how can I remove the block after changing the password?

                      temporary - until the client IP is below the limits it can send again
                      if you send 400 messages you need to wait at least 30 minutes for the next
                    • Mike McGinn
                      ... Welcome to the club. I had an account get compromised on Christmas Day and got my server blacklisted. Changed the password. Now in my dovecot logs I see
                      Message 10 of 14 , Jan 6, 2014
                      • 0 Attachment
                        On Monday, January 06, 2014 10:12:38 Roland Plüss wrote:
                        > A couple of days ago my mail server got attacked by a spammer. As it
                        > looks like he managed to compromise the password of one of the users on
                        > the system and SASL authenticated using the account to send spam. I
                        > blocked the attacking IP and changed the password of the affected user.
                        > Still the spammer managed to send out quite a lot of mails because due
                        > to permit_sasl_authenticated letting him pass by. Now to deal with this
                        > situation in the future I would like to automatically lock down an
                        > account if an unusual amount of mails are sent like 60 per minute or so.
                        > I could though not figure out if postfix is able to do this or how to
                        > get this done. Any ideas?

                        Welcome to the club.
                        I had an account get compromised on Christmas Day and got my server
                        blacklisted. Changed the password.

                        Now in my dovecot logs I see login for this account from various IP addresses
                        in Russia and the former Soviet republics. These seem to be from some sort of
                        botnet as they come in bursts from different IP addresses. I have been adding
                        the CIDRs for these networks to my firewall as they show up.

                        I am not a mail guy, but I find knowing how to use a firewall comes in handy.

                        --
                        Mike McGinn KD2CNU
                        Ex Uno Plurima
                        No electrons were harmed in sending this message, some were inconvenienced.
                        ** Registered Linux User 377849
                      • postfix@...
                        ... I use fail2ban to block bots trying to guess passwords. Any IP that enters a wrong password more than a certain number of time is banned for 10 minutes.
                        Message 11 of 14 , Jan 6, 2014
                        • 0 Attachment
                          On 1/6/2014 5:32 PM, Mike McGinn wrote:
                          > On Monday, January 06, 2014 10:12:38 Roland Plüss wrote:
                          >> A couple of days ago my mail server got attacked by a spammer. As it
                          >> looks like he managed to compromise the password of one of the users on
                          >> the system and SASL authenticated using the account to send spam. I
                          >> blocked the attacking IP and changed the password of the affected user.
                          >> Still the spammer managed to send out quite a lot of mails because due
                          >> to permit_sasl_authenticated letting him pass by. Now to deal with this
                          >> situation in the future I would like to automatically lock down an
                          >> account if an unusual amount of mails are sent like 60 per minute or so.
                          >> I could though not figure out if postfix is able to do this or how to
                          >> get this done. Any ideas?
                          > Welcome to the club.
                          > I had an account get compromised on Christmas Day and got my server
                          > blacklisted. Changed the password.
                          >
                          > Now in my dovecot logs I see login for this account from various IP addresses
                          > in Russia and the former Soviet republics. These seem to be from some sort of
                          > botnet as they come in bursts from different IP addresses. I have been adding
                          > the CIDRs for these networks to my firewall as they show up.
                          >
                          > I am not a mail guy, but I find knowing how to use a firewall comes in handy.
                          >
                          I use fail2ban to block bots trying to guess passwords. Any IP that
                          enters a wrong password more than a certain number of time is banned for
                          10 minutes. Any such IP that gets banned too much this way gets banned
                          for a week.

                          I get attempts from pretty much all over the world (US, Europe, Russia,
                          China, India, ....)
                        • Robert Schetterer
                          ... hacked accounts are mostly not based on password brute force attacks ( but agree fail2ban is good to fight it ), its more easy to infect some
                          Message 12 of 14 , Jan 6, 2014
                          • 0 Attachment
                            Am 06.01.2014 17:40, schrieb postfix@...:
                            > On 1/6/2014 5:32 PM, Mike McGinn wrote:
                            >> On Monday, January 06, 2014 10:12:38 Roland Plüss wrote:
                            >>> A couple of days ago my mail server got attacked by a spammer. As it
                            >>> looks like he managed to compromise the password of one of the users on
                            >>> the system and SASL authenticated using the account to send spam. I
                            >>> blocked the attacking IP and changed the password of the affected user.
                            >>> Still the spammer managed to send out quite a lot of mails because due
                            >>> to permit_sasl_authenticated letting him pass by. Now to deal with this
                            >>> situation in the future I would like to automatically lock down an
                            >>> account if an unusual amount of mails are sent like 60 per minute or so.
                            >>> I could though not figure out if postfix is able to do this or how to
                            >>> get this done. Any ideas?
                            >> Welcome to the club.
                            >> I had an account get compromised on Christmas Day and got my server
                            >> blacklisted. Changed the password.
                            >>
                            >> Now in my dovecot logs I see login for this account from various IP
                            >> addresses
                            >> in Russia and the former Soviet republics. These seem to be from some
                            >> sort of
                            >> botnet as they come in bursts from different IP addresses. I have been
                            >> adding
                            >> the CIDRs for these networks to my firewall as they show up.
                            >>
                            >> I am not a mail guy, but I find knowing how to use a firewall comes in
                            >> handy.
                            >>
                            > I use fail2ban to block bots trying to guess passwords. Any IP that
                            > enters a wrong password more than a certain number of time is banned for
                            > 10 minutes. Any such IP that gets banned too much this way gets banned
                            > for a week.
                            >
                            > I get attempts from pretty much all over the world (US, Europe, Russia,
                            > China, India, ....)

                            hacked accounts are mostly not based on password brute force attacks (
                            but agree fail2ban is good to fight it ), its more easy to infect some
                            unpatched/undefended win client, or fish the password over uncrypted
                            cons over wlan etc i.e with tablets, smartphones


                            Best Regards
                            MfG Robert Schetterer

                            --
                            [*] sys4 AG

                            http://sys4.de, +49 (89) 30 90 46 64
                            Franziskanerstraße 15, 81669 München

                            Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                            Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                            Aufsichtsratsvorsitzender: Florian Kirstein
                          • Mike McGinn
                            ... I do not think that would work in this case. Here is a log segment: Jan 06 15:39:54 auth-worker: Info: sql(XXXX@YYYY.com,178.125.1.161): Password mismatch
                            Message 13 of 14 , Jan 6, 2014
                            • 0 Attachment
                              On Monday, January 06, 2014 11:40:02 postfix@... wrote:
                              > On 1/6/2014 5:32 PM, Mike McGinn wrote:
                              > > On Monday, January 06, 2014 10:12:38 Roland Plüss wrote:
                              > >> A couple of days ago my mail server got attacked by a spammer. As it
                              > >> looks like he managed to compromise the password of one of the users on
                              > >> the system and SASL authenticated using the account to send spam. I
                              > >> blocked the attacking IP and changed the password of the affected user.
                              > >> Still the spammer managed to send out quite a lot of mails because due
                              > >> to permit_sasl_authenticated letting him pass by. Now to deal with this
                              > >> situation in the future I would like to automatically lock down an
                              > >> account if an unusual amount of mails are sent like 60 per minute or so.
                              > >> I could though not figure out if postfix is able to do this or how to
                              > >> get this done. Any ideas?
                              > >
                              > > Welcome to the club.
                              > > I had an account get compromised on Christmas Day and got my server
                              > > blacklisted. Changed the password.
                              > >
                              > > Now in my dovecot logs I see login for this account from various IP
                              > > addresses in Russia and the former Soviet republics. These seem to be
                              > > from some sort of botnet as they come in bursts from different IP
                              > > addresses. I have been adding the CIDRs for these networks to my
                              > > firewall as they show up.
                              > >
                              > > I am not a mail guy, but I find knowing how to use a firewall comes in
                              > > handy.
                              >
                              > I use fail2ban to block bots trying to guess passwords. Any IP that
                              > enters a wrong password more than a certain number of time is banned for
                              > 10 minutes. Any such IP that gets banned too much this way gets banned
                              > for a week.
                              >
                              > I get attempts from pretty much all over the world (US, Europe, Russia,
                              > China, India, ....)

                              I do not think that would work in this case. Here is a log segment:

                              Jan 06 15:39:54 auth-worker: Info: sql(XXXX@...,178.125.1.161): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:39:56 auth-worker: Info: sql(XXXX@...,92.112.9.115): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:02 auth-worker: Info: sql(XXXX@...,95.54.109.61): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:09 auth-worker: Info: sql(XXXX@...,176.36.143.102): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:09 auth-worker: Info: sql(XXXX@...,91.243.244.178): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:13 auth-worker: Info: sql(XXXX@...,178.125.123.37): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:17 auth-worker: Info: sql(XXXX@...,27.51.141.237): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:26 auth-worker: Info: sql(XXXX@...,178.159.84.173): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:30 auth-worker: Info: sql(XXXX@...,81.25.41.8): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:31 auth-worker: Info: sql(XXXX@...,81.190.37.211): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:36 auth-worker: Info: sql(XXXX@...,88.135.234.151): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:38 auth-worker: Info: sql(XXXX@...,92.47.194.87): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:40 auth-worker: Info: sql(XXXX@...,87.119.36.222): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:46 auth-worker: Info: sql(XXXX@...,109.254.192.87): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:50 auth-worker: Info: sql(XXXX@...,37.45.187.140): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:40:54 auth-worker: Info: sql(XXXX@...,5.199.239.94): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:41:00 auth-worker: Info: sql(XXXX@...,95.68.168.185): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:41:06 auth-worker: Info: sql(XXXX@...,93.89.218.239): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 06 15:41:12 auth-worker: Info: sql(XXXX@...,178.123.34.42): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
                              Jan 07 15:41:19 auth-worker: Info: sql(XXXX@...,95.81.253.200): Password
                              mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)


                              --
                              Mike McGinn KD2CNU
                              Ex Uno Plurima
                              No electrons were harmed in sending this message, some were inconvenienced.
                              ** Registered Linux User 377849
                            • Julio Cesar Covolato
                              ... Hi Roland, Maybe you can check this script: http://www.psi.com.br/~julio/postfix/sasl-killer.sh Regards, ... _ Engº Julio Cesar Covolato 0v0
                              Message 14 of 14 , Jan 6, 2014
                              • 0 Attachment
                                Em 06/01/2014 13:12, Roland Plüss escreveu:
                                > A couple of days ago my mail server got attacked by a spammer. As it
                                > looks like he managed to compromise the password of one of the users on
                                > the system and SASL authenticated using the account to send spam. I
                                > blocked the attacking IP and changed the password of the affected user.
                                > Still the spammer managed to send out quite a lot of mails because due
                                > to permit_sasl_authenticated letting him pass by. Now to deal with this
                                > situation in the future I would like to automatically lock down an
                                > account if an unusual amount of mails are sent like 60 per minute or so.
                                > I could though not figure out if postfix is able to do this or how to
                                > get this done. Any ideas?
                                >
                                Hi Roland,
                                Maybe you can check this script:
                                http://www.psi.com.br/~julio/postfix/sasl-killer.sh

                                Regards,

                                -----------------------------
                                _ Engº Julio Cesar Covolato
                                0v0 <julio@...>
                                /(_)\ F: 55-11-3129-3366
                                ^ ^ PSI INTERNET
                                -----------------------------
                              Your message has been successfully submitted and would be delivered to recipients shortly.