On 1/6/2014 5:32 PM, Mike McGinn wrote:
On Monday, January 06, 2014 10:12:38 Roland Plüss wrote:
A couple of days ago my mail server got attacked by a spammer. As it
looks like he managed to compromise the password of one of the users on
the system and SASL authenticated using the account to send spam. I
blocked the attacking IP and changed the password of the affected user.
Still the spammer managed to send out quite a lot of mails because due
to permit_sasl_authenticated letting him pass by. Now to deal with this
situation in the future I would like to automatically lock down an
account if an unusual amount of mails are sent like 60 per minute or so.
I could though not figure out if postfix is able to do this or how to
get this done. Any ideas?
Welcome to the club.
I had an account get compromised on Christmas Day and got my server
blacklisted. Changed the password.
Now in my dovecot logs I see login for this account from various IP addresses
in Russia and the former Soviet republics. These seem to be from some sort of
botnet as they come in bursts from different IP addresses. I have been adding
the CIDRs for these networks to my firewall as they show up.
I am not a mail guy, but I find knowing how to use a firewall comes in handy.
I use fail2ban to block bots trying to guess passwords. Any IP that
enters a wrong password more than a certain number of time is banned for
10 minutes. Any such IP that gets banned too much this way gets banned
for a week.
I get attempts from pretty much all over the world (US, Europe, Russia,
China, India, ....)
