Re: Question on early detection for relay spam

Rupert Gallagher skrev den 2020-03-05 00:27: Fails with travelling clients. my custommers want vacation without stress :=)

Re: Question on early detection for relay spam

On 04 Mar 2020, at 16:27, Rupert Gallagher wrote: > Fails with travelling clients. Depends. I block several countries from accessing my mail server. If someone travels to one of those countries, they can use webmail to access their mail. There are always options. However, most people simply us

Re: Question on early detection for relay spam

Fails with travelling clients. Original Message On Mar 3, 2020, 16:49, Benny Pedersen wrote: > Marc Roos skrev den 2020-03-03 16:15: >> Use ipset, hardly causing any latency using 50k entries. > > i dont need to block 50k entries, but only whitelist few accepted client > ips, wh

Re: Question on early detection for relay spam

On 4 Mar 2020, at 14:43, RW wrote: On Tue, 03 Mar 2020 16:05:31 -0800 Ted Mittelstaedt wrote: 2FA isn't going to help unless 2FA could be applied to the SMTP Auth port. Sometime 2FA on webmail is combined with separate autogenerated passwords for pop/imap/submission. A.k.a. "application p

Re: Question on early detection for relay spam

On Tue, 03 Mar 2020 16:05:31 -0800 Ted Mittelstaedt wrote: > 2FA isn't going to help unless 2FA could be applied to the SMTP Auth > port. Sometime 2FA on webmail is combined with separate autogenerated passwords for pop/imap/submission.

Re: Question on early detection for relay spam

If password rotating is out of the question, you might want to check your IPs against blacklists multiple times at a day, it wouldn't stop it but it may notify you earlier to stop an outbreak. Other thing that comes to mind is, you may try rate limiting your users and setup a cron to monitor th

Re: Question on early detection for relay spam

On 3/3/2020 5:53 AM, Riccardo Alfieri wrote: On 03/03/20 08:54, Benny Pedersen wrote: Ted Mittelstaedt skrev den 2020-03-03 08:26: What do other people do for this problem? Hi Ted, What I can suggest you is to look at our DQS product (https://www.spamhaustech.com/dqs/), that even in it

RE: Question on early detection for relay spam

Well for example of the trouble RBLS cause see this one for your own number: -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [212.26.193.44 listed in list.dnswl.org] >and then immediately forget it, wh

Re: Question on early detection for relay spam

On 3/3/20 3:40 AM, Marc Roos wrote: No problem I would say, it is good exchange thoughts and idea's Agreed. Strange your webmail should be on https then it is difficult to catch passwords. I do not have this at al, that peoples passwords get stolen. Hardly ever. So maybe somewhere something

Re: Question on early detection for relay spam

On 3 Mar 2020, at 2:26, Ted Mittelstaedt wrote: I know this is probably off topic but I'm getting desperate enough to ask. I run a commercial mailserver that regularly seems to have spammers relay mail through it that have obtained stolen credentials for a user. Many years ago I stopped all

Re: Question on early detection for relay spam

Marc Roos skrev den 2020-03-03 16:15: Use ipset, hardly causing any latency using 50k entries. i dont need to block 50k entries, but only whitelist few accepted client ips, where i resolve asn and open this specifik asn to have access, if there is abuse it will be removed so its again is bloc

RE: Question on early detection for relay spam

Use ipset, hardly causing any latency using 50k entries. -Original Message- From: Benny Pedersen [mailto:m...@junc.eu] Sent: 03 March 2020 15:39 To: users@spamassassin.apache.org Subject: Re: Question on early detection for relay spam Riccardo Alfieri skrev den 2020-03-03 14:53

Re: Question on early detection for relay spam

Riccardo Alfieri skrev den 2020-03-03 14:53: # abuse port 21 begin 51.178.0.0/16 as16276 #OVH, FR 80.82.77.0/24 as202425 #INT-NETWORK, SC 104.206.128.0/22 as62904 #EONIX-COMMUNICATIONS-ASBLOCK-62904, US # abuse port 21 end # all ips begin 51.178.78.154 80.82.77.240 104.206.128.54 # all ips end #

Re: Question on early detection for relay spam

Riccardo Alfieri skrev den 2020-03-03 14:53: sasl_username - number of different ips observed in the latest 24h. i have limited so that i only allow sasl auth from trusted custommers ips, all else is firewalled witd default policy of drop, and clients ips is so just still logged if ports is

Re: Question on early detection for relay spam

On 03/03/20 08:54, Benny Pedersen wrote: Ted Mittelstaedt skrev den 2020-03-03 08:26: What do other people do for this problem? Hi Ted, What I can suggest you is to look at our DQS product (https://www.spamhaustech.com/dqs/), that even in it's free subscription model includes AuthBL, a l

RE: Question on early detection for relay spam

>I know this is probably off topic but I'm getting desperate enough to ask. No problem I would say, it is good exchange thoughts and idea's >I run a commercial mailserver that regularly seems to have spammers >relay mail through it that have obtained stolen credentials for a user. > Many

Re: Question on early detection for relay spam

Ted Mittelstaedt skrev den 2020-03-03 08:26: What do other people do for this problem? https://www.abusix.com/abusix-mail-intelligence what more do you want to do ? my own servers reject all clients not in danish ip space unless its sasl authed strong leaked passwords does not help much

Question on early detection for relay spam

I know this is probably off topic but I'm getting desperate enough to ask. I run a commercial mailserver that regularly seems to have spammers relay mail through it that have obtained stolen credentials for a user. Many years ago I stopped allowing users to change passwords on it and I setup