>I have an outgoing-only mail server for our customers called >smtp.lightlink.com. It only allows relaying from local IP's, >and known virtual domains if remote users wish to use it. > > We were fine when we were running pop before smtp authentication, but >I was forced to also allow SASL authentication. > > More and more people are having their passwords compromised, I have no >idea how it happens, one person had it compromised twice in one day after >I changed it the first time. > > There are no false tries on the user account, until the spam starts >coming in with the correct password, then its 64,000 pieces of mail >forever and ever until I stop it. > > So one, how are passwords being compromised with out brute force >attacks showing up on the server? > > What do I do to catch this in the bud? > > 1.) I have a barracuda which I could use as a smart out-going host >from smtp.lightlink.com. > > It will quarantine and rate limit, but it won't tell me what's going >on unless I look, it won't stop the spam, and it blocks and can not handle >those that wish to send large mailings legitmately through >smtp.lightlink.com. It just clogs up and slows WAY down. Besides I hate >barracuda. > > 3.) Are there ways in postfix to detect the abuse, and close >the account? Or what? White papers? Pointers to RTFM? > > 4.) Perl, write my own perl code and count the SASL's coming in and >lock the account when it does something stupid? > > It's happening about once or twice a month now and our mail >server usually gets blacklisted every time it does.
Hi Homer, we are, somethimes, having similar troubles and we find out that compromised accounts are usually owned by fools who are sending their login and password directly to spammers - you have must seen that stupid e-mails which are asking your login information on behalf of 'your administrator'. And yes, there really are people who really sends their login information :) i was shocked when i saw this for the first time in our enviroment. You can do several things to stop spam to be send by your server: 1.) Implement rate limits (for example, 100 messages per 10 minutes). 2.) Allow only login from your country by default (use geoip for this). 3.) Allow only correct sender addresses - for example, if someone logs in as u...@example.com, allow him to send messages only from u...@example.com or domain @example.com or so. This will really help you to track and block problematic users. azur