>I know this is probably off topic but I'm getting desperate enough to ask.
No problem I would say, it is good exchange thoughts and idea's >I run a commercial mailserver that regularly seems to have spammers >relay mail through it that have obtained stolen credentials for a user. > Many years ago I stopped allowing users to change passwords on it and >I setup passwords for all users added to it, and the passwords are >random strings of 8 characters or more. > >The problem is of course that since the passwords are difficult to >remember, once the users do remember them they merrily proceed to use >this "highly secure password that I can now remember" on every stupid >website out on the Internet that they care to login to. The problem >isn't really the people using Thunderbird or Outlook or their cell >phones or whatever, because they save the password in the email client >and then immediately forget it, which is what I want. It is the people >who use the webmail interface on multiple different systems, kiosk >computers and the like, who are the problem. When hosts out on the >Internet get busted into, the spammers get their passwords and >email addresses and start relaying. I've confirmed this with several >users I've called and it's always the same story. Strange your webmail should be on https then it is difficult to catch passwords. I do not have this at al, that peoples passwords get stolen. Hardly ever. So maybe somewhere something is wrong in your setup. Maybe spammers get access via a remote exploit? I do not think this is a common problem. >By the time I see what's going on the server is blacklisted everywhere >and I have to waste time delisting it, and asskissing all of the >little tiny blacklists run by little pricks who want me to pay money >or wait a month to be delisted, etc. (no I'm NOT talking about >spamcop, or barracuda or anyone professional - THEY know what they are >doing and don't look at this as a chance for a shakedown) Please remember, that you are causing work for these companies. Someone is complaining. And someone is adding your ip to the blacklist. They get harassed why the shit is getting through their spam filters. I would also ask amazon to pay me a few thousands for wasting my time constantly. >I estimate that last year this happened around 5 times and I just >lost an afternoon today answering the passle of help requests from >users because it happened again. > >What I am wondering is how to tighten up my monitoring on my servers to >more rapidly identify when this starts happening. What I'm doing now is >a kludge but I run mailq (this is a sendmail system) and when I see the >number of pending mail mesages in there exceed a threshold I send an >alert to my cell. It is a kludge and the problem is that >the mailq doesn't start filling up until my server gets blacklisted. Sendmail has a nice filter that rate limits a user. I was always thinking of implementing this, when I run into a situation as yours. >I've considered several ideas like running a script out of cron that >checks the number of authid's per hour but all of these seem like even >worse kludges. The only idea that I have come up with that I really >like is taking an AK-47 to the spammers but unfortunately spammers >know that they are unloved and cowardly hide away in Russia and scummier >places and I can't reach 'em. (maybe I could offer a bounty? A nickle >a head? That would pay for the bullet at least. I don't think those >people are worth even that, though) > >I do run a daily sendmail statistics report but by the time I read that >and see the bump in traffic it's too late. > >What do other people do for this problem? > Things you should consider: - investigate what clients mostly have these problems. Give them a sperate outgoing server. This way when it happens again not everyone's email is blocked. ps. When I get spam I put the whole /24 range on the blacklist. So maybe get ip's in different ranges. - filter your logs of the last year that have outgoing spam. You wil see same ip ranges. Put all of them on your outgoing mailservers dns blacklist so they cannot connect. - google for outgoing milters. You get blacklisted on the bigger rbl's after sending a lot of spam. A user is not sending 100 emails a day. Good luck, fighting these spammers!!!
