Am 06.01.2014 17:45, schrieb Simon B: > > On 6 Jan 2014 17:41, <post...@pupat-ghestem.net > <mailto:post...@pupat-ghestem.net>> wrote: >> >> On 1/6/2014 5:32 PM, Mike McGinn wrote: >>> >>> On Monday, January 06, 2014 10:12:38 Roland Plüss wrote: >>>> >>>> A couple of days ago my mail server got attacked by a spammer. As it >>>> looks like he managed to compromise the password of one of the users on >>>> the system and SASL authenticated using the account to send spam. I >>>> blocked the attacking IP and changed the password of the affected user. >>>> Still the spammer managed to send out quite a lot of mails because due >>>> to permit_sasl_authenticated letting him pass by. Now to deal with this >>>> situation in the future I would like to automatically lock down an >>>> account if an unusual amount of mails are sent like 60 per minute or so. >>>> I could though not figure out if postfix is able to do this or how to >>>> get this done. Any ideas? >>> >>> Welcome to the club. >>> I had an account get compromised on Christmas Day and got my server >>> blacklisted. Changed the password. >>> >>> Now in my dovecot logs I see login for this account from various IP > addresses >>> in Russia and the former Soviet republics. These seem to be from some > sort of >>> botnet as they come in bursts from different IP addresses. I have > been adding >>> the CIDRs for these networks to my firewall as they show up. >>> >>> I am not a mail guy, but I find knowing how to use a firewall comes > in handy. >>> >> I use fail2ban to block bots trying to guess passwords. Any IP that > enters a wrong password more than a certain number of time is banned for > 10 minutes. Any such IP that gets banned too much this way gets banned > for a week. >> >> I get attempts from pretty much all over the world (US, Europe, > Russia, China, India, ....) > > Lately I've seen botnets get wise to this. > > I have one from Comcast that makes one attempt every 35 minutes. Which > means it never gets blocked. But it will also take him millions of > years to get lucky... > > Simon >
off topic, my last geoip spambot analyse http://sys4.de/de/blog/2014/01/05/spambot-auswertung-mit-geoip/ and my blocking method http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ sorry german only, but how it works should be understandable anyway Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
