On Monday, January 06, 2014 10:12:38 Roland Plüss wrote: > A couple of days ago my mail server got attacked by a spammer. As it > looks like he managed to compromise the password of one of the users on > the system and SASL authenticated using the account to send spam. I > blocked the attacking IP and changed the password of the affected user. > Still the spammer managed to send out quite a lot of mails because due > to permit_sasl_authenticated letting him pass by. Now to deal with this > situation in the future I would like to automatically lock down an > account if an unusual amount of mails are sent like 60 per minute or so. > I could though not figure out if postfix is able to do this or how to > get this done. Any ideas?
Welcome to the club. I had an account get compromised on Christmas Day and got my server blacklisted. Changed the password. Now in my dovecot logs I see login for this account from various IP addresses in Russia and the former Soviet republics. These seem to be from some sort of botnet as they come in bursts from different IP addresses. I have been adding the CIDRs for these networks to my firewall as they show up. I am not a mail guy, but I find knowing how to use a firewall comes in handy. -- Mike McGinn KD2CNU Ex Uno Plurima No electrons were harmed in sending this message, some were inconvenienced. ** Registered Linux User 377849
