On 15/04/10 17:28, Ignacio García wrote: > The way I think this could be solved is by having a program that: > > 1.- Checks the logs for authenticated smtp usage and saves > smtp_authenticated_user, originating IPs, and country, which is > dicovered using ip geolocation. > 2.- During the following minutes, if IP from same authenticated user > is different, then geolocate new IP, and if country is also different > then set it as possible credential theft. > 3.- If Step 2 repeats few times in few minutes (or even worse, if a > third country is detected), then we sure have stolen credentials. > 4.- Add smtp_authenticated_user to a blacklist, could add a simple > header_checks entry to reject messages with smtp_authenticated_user > header. That way account is still active and able to receive messages. > However, outbound messaging is disabled. > 5.- We could use a granulated scoring system. For instance, we are in > Spain, and 99.9% of our customers are in Spain. So, even if more > different IPs are used in short period of times, but all originate in > Spain, it's fair to assume this person may be having connectivity > problems or several devices connected (computer, 3g phone, pda) and > running at the same time, so we cut them some slack :) > > We are already brainstorming this. However, were are good sysadmins > but I cannot say the same about complex programming. We'll see what > happens. > > Regards, > > Ignacio Ignacio I've been using cbpolicyd to do rate limiting on submission port not because I want to rate limit legitimate users, but to protect against stolen credentials. The approach of scanning the logfile that you outline, though not real time like cbpolicyd would be almost as good if run often enough so that the window in which spam could leak out was small.
So I have made a prototype (sorry but it's php not perl) that can parse log files and write postfix access files. It does not do all you wanted, for example the part about country lookups, though feasible would not catch the case of stolen credentials from ips within the same country. I have only implemented two limits: a limit on number of authentications within a certain time frame and limit on the number of different ips for a single user in the time frame. If either limit is reached then the IP is blacklilsted in an access file. Maybe it is useful or you could extend it for your needs. http://www.gufonero.com/postfix/check_auth_log_0.1.tgz After customizing file locations and limits, you can schedule the script to run from cron, but you need to also include the postmap of the access file (makefile -f check_auth_log_makefile all) afterwards. It assumes you use hash access files. Update of main.cf / master.cf is needed to add in the check of the access map, e.g. for the submission port. You'd probably also want a whitelist access file in front of this to opt certain heavy users out of the check. regards, John
