On 06 Mar 2014, at 18:04, Adam Moffett <adamli...@plexicomm.net> wrote:
> Two steps eliminated this problem for us: > > 1) Accounts with more than 6 failed login attempts in a 10 minute period are > disabled for 10 minutes. This makes brute force methods to find passwords > almost impossible. > > 2) Limit to 200 outgoing messages per day per user. We'll raise it to any > reasonable value for an individual account. I.E.: We'll let you send 1000 > per day so you can get your church newsletter out, but we won't remove the > limit completely and let you spam (knowingly or not). This minimizes the > damage if a password is still compromised. > > 200 is a pretty high limit. Very few people send more than 50 in a day, and > almost nobody sends more than 100. We set it at 200 so we wouldn't have to > hear from anybody who isn't bulk mailing. Perhaps another interesting datapoint; We have basic rate limiting, per hour. High enough so it doesn't impede anyone doing normal work, but low enough to catch anyone doing bulk mailing, and slow them down with a DEFER. This allows their mailing to finish, it'll just take a long time. What we found in terms of most compromises, however, is that they stayed well below our rate limits. Send only a few messages here and there, stay below the radar. The last one, a week or two ago, only probed once or twice a day, and then sent a single message. Which bounced back, user notified us, and so on. Also, not seen any brute-force attempts recently; in the cases we know of it's been user neglicence, such as reuse of simple passwords. Oh, and making services available only over SSL/TLS seems to make a difference, too. Nothing listening on 110/143, 587 with STARTTLS only. Mvg, Joni
