On Monday, January 06, 2014 11:40:02 post...@pupat-ghestem.net wrote: > On 1/6/2014 5:32 PM, Mike McGinn wrote: > > On Monday, January 06, 2014 10:12:38 Roland Plüss wrote: > >> A couple of days ago my mail server got attacked by a spammer. As it > >> looks like he managed to compromise the password of one of the users on > >> the system and SASL authenticated using the account to send spam. I > >> blocked the attacking IP and changed the password of the affected user. > >> Still the spammer managed to send out quite a lot of mails because due > >> to permit_sasl_authenticated letting him pass by. Now to deal with this > >> situation in the future I would like to automatically lock down an > >> account if an unusual amount of mails are sent like 60 per minute or so. > >> I could though not figure out if postfix is able to do this or how to > >> get this done. Any ideas? > > > > Welcome to the club. > > I had an account get compromised on Christmas Day and got my server > > blacklisted. Changed the password. > > > > Now in my dovecot logs I see login for this account from various IP > > addresses in Russia and the former Soviet republics. These seem to be > > from some sort of botnet as they come in bursts from different IP > > addresses. I have been adding the CIDRs for these networks to my > > firewall as they show up. > > > > I am not a mail guy, but I find knowing how to use a firewall comes in > > handy. > > I use fail2ban to block bots trying to guess passwords. Any IP that > enters a wrong password more than a certain number of time is banned for > 10 minutes. Any such IP that gets banned too much this way gets banned > for a week. > > I get attempts from pretty much all over the world (US, Europe, Russia, > China, India, ....)
I do not think that would work in this case. Here is a log segment: Jan 06 15:39:54 auth-worker: Info: sql(x...@yyyy.com,178.125.1.161): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:39:56 auth-worker: Info: sql(x...@yyyy.com,92.112.9.115): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:02 auth-worker: Info: sql(x...@yyyy.com,95.54.109.61): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:09 auth-worker: Info: sql(x...@yyyy.com,176.36.143.102): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:09 auth-worker: Info: sql(x...@yyyy.com,91.243.244.178): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:13 auth-worker: Info: sql(x...@yyyy.com,178.125.123.37): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:17 auth-worker: Info: sql(x...@yyyy.com,27.51.141.237): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:26 auth-worker: Info: sql(x...@yyyy.com,178.159.84.173): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:30 auth-worker: Info: sql(x...@yyyy.com,81.25.41.8): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:31 auth-worker: Info: sql(x...@yyyy.com,81.190.37.211): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:36 auth-worker: Info: sql(x...@yyyy.com,88.135.234.151): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:38 auth-worker: Info: sql(x...@yyyy.com,92.47.194.87): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:40 auth-worker: Info: sql(x...@yyyy.com,87.119.36.222): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:46 auth-worker: Info: sql(x...@yyyy.com,109.254.192.87): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:50 auth-worker: Info: sql(x...@yyyy.com,37.45.187.140): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:40:54 auth-worker: Info: sql(x...@yyyy.com,5.199.239.94): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:41:00 auth-worker: Info: sql(x...@yyyy.com,95.68.168.185): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:41:06 auth-worker: Info: sql(x...@yyyy.com,93.89.218.239): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 06 15:41:12 auth-worker: Info: sql(x...@yyyy.com,178.123.34.42): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) Jan 07 15:41:19 auth-worker: Info: sql(x...@yyyy.com,95.81.253.200): Password mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5) -- Mike McGinn KD2CNU Ex Uno Plurima No electrons were harmed in sending this message, some were inconvenienced. ** Registered Linux User 377849