On Tue, Apr 16, 2013 at 12:45:06AM -0400, CSS wrote:
> I'm curious what other people are doing to deal with this?
>
> We have policyd running on our smtp relay hosts that customers use.
> We get an alert when any username sends more than X messages in
> an hour and deal with it on a case by case basis. For some time,
> this has worked well. We've had a few cases where the end user's
> pc is part of a botnet and sending directly, but most of the time
> it's foreign IPs that have either brute-forced or stolen the user's
> credentials (presumably by phishing).
>
> In the past month or so though, I've been seeing more and more
> instances where I get no alerts, and then a few feedback loop reports.
> If I look at the policyd stats, I'll see some user sitting just below
> the alert threshold has been sending crap out for hours. I'm not
> seeing any obvious solution here? Any suggestions?
>
#$/bin/sh
#
# Find compromised e-mail smtp accounts
#
if [ $1 ]; then
MAILLOG=$1;
else
MAILLOG=/var/log/maillog;
fi;
grep sasl_username ${MAILLOG} \
| egrep -v
'(ourdomain\.net|ourotherdomains\.net|otherlocalisp1\.net|otherlocalisp2\.(com|net)|localuniversity\.edu|...)\['
\
| egrep -v
'\[(172\.(1[6-9]|2[0-9]|3[0-2])|10\.1[23][80]|our\.other\.ip\.ranges|other\.isp\.range\.no\.rev\.dns|...|)\.'
| awk '{print $7" "$9}' \
| sort -k2 \
| uniq -c
We saw several hit 92 sends from each host, slowly, a few weeks
ago. They seem to have given up on that method and just send a
couple of messages from lots of hosts again. But they have slowed
down on how fast they send through any one account. I still spot
them in the hourly report which includes the above output as well
as a list of every sasl_username which is found in today's log more
than a certain number of times.
Between the two methods, we seem to catch them within an hour or
two. The biggest latency is me checking that hourly report e-mail.
The per hour and per day policyd limit keeps them from doing much
damage between my reading times. I've only had one instance which
slipped past the radar for more than a day. I found a bug in my
grep regex.
--
Scott Lambert KC5MLE Unix SysAdmin
[email protected]
_______________________________________________
Users mailing list
[email protected]
http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
