I have an outgoing-only mail server for our customers called
smtp.lightlink.com. It only allows relaying from local IP's,
and known virtual domains if remote users wish to use it.
We were fine when we were running pop before smtp authentication, but
I was forced to also allow SASL authentication.
More and more people are having their passwords compromised, I have no
idea how it happens, one person had it compromised twice in one day after
I changed it the first time.
There are no false tries on the user account, until the spam starts
coming in with the correct password, then its 64,000 pieces of mail
forever and ever until I stop it.
So one, how are passwords being compromised with out brute force
attacks showing up on the server?
What do I do to catch this in the bud?
1.) I have a barracuda which I could use as a smart out-going host
from smtp.lightlink.com.
It will quarantine and rate limit, but it won't tell me what's going
on unless I look, it won't stop the spam, and it blocks and can not handle
those that wish to send large mailings legitmately through
smtp.lightlink.com. It just clogs up and slows WAY down. Besides I hate
barracuda.
3.) Are there ways in postfix to detect the abuse, and close
the account? Or what? White papers? Pointers to RTFM?
4.) Perl, write my own perl code and count the SASL's coming in and
lock the account when it does something stupid?
It's happening about once or twice a month now and our mail
server usually gets blacklisted every time it does.
Thanks in advance,
Homer W Smith
CEO Lightlink, aka still a stupid newbie after 20 years...
------------------------------------------------------------------------
Homer Wilson Smith Clean Air, Clear Water, Art Matrix - Lightlink
(607) 277-0959 A Green Earth, and Peace, Internet, Ithaca NY
ho...@lightlink.com Is that too much to ask? http://www.lightlink.com
