Cassidy Larson:
> We had an incident today where we had a user with a compromised
> machine. Their email/pass made it back to some botnet which proceeded
> to SASL auth to our mail servers and send numerous spam messages from
> many different hosts. The spamming hosts didnt trigger our
> smtpd_client_recipient_rate_limit setting, because of the many
> different hosts (all with the same SASL user authenticated) that they
> used.
>
> This got me wondering if there's any easy way to have anvil report
> stats based on the authenticated SASL username, in addition to the
> remote IP address?
Not at the moment, but a policy daemon could notice that (too) many
connections use the same sasl_username attribute value.
> This would help me prevent/monitor potential addresses that are being
> used by a botnet system to relay mails through my mail server.
>
> Or even better if there was a way to make a similar feature like the
> "smtpd_client_recipient_rate_limit" setting that'd
> match/restrict/prevent based on the authenticated SASL username?
>
> Thoughts? Suggestions?
Maybe a good idea. This would hook into the AUTH command and after
successful AUTH, do an anvil query for the sasl_username value.
It's not a lot of code, but I don't have a lot of time, either.
Wietse
