On 3/3/2020 5:53 AM, Riccardo Alfieri wrote:
On 03/03/20 08:54, Benny Pedersen wrote:
Ted Mittelstaedt skrev den 2020-03-03 08:26:
What do other people do for this problem?
Hi Ted,
<vendor>
What I can suggest you is to look at our DQS product
(https://www.spamhaustech.com/dqs/), that even in it's free subscription
model includes AuthBL, a list made of botnet's known to be used to spam
with abused credentials. A simple 5xx if a client connect to your
submission port using a listed IP would take care of *most* of your
problems.
Well since I also am fully IPv6 compliant I don't think I have the space
for a real dynamic blacklist. A spammer with half a brain can simply
forgo IPv4 completely and have almost an infinite number of IP's to
attack me from. Of course most spammers are too stupid to setup a
rotator on an IPv6 line so maybe we might get a few more years in the
IPv4 space but much of this blacklist stuff can be easily defeated
once more people run IPv6.
</vendor>
After that, just running a daily report with a table like:
sasl_username - number of different ips observed in the latest 24h.
Yes, this is what I have been thinking is most likely going to be the
most useful approach - that is, writing a log analysis script that runs
when the mailog is rolled over, and stuffs all authid IP addresses and
corresponding userIDs into a mysql database. Then a second report
script that queries the database looking for excessive use.
Unfortunately while it's the least kludgy approach it's also the most
complicated one. :-(
Can help you find out abused credentials that were being used by bots
(still) not in AuthBL.
I've observed in the field that this is an approach that works when you
have up to 20-30k users; after this threshold you may want to write
something to automate warnings and/or automatically block accounts if
they exceed a defined threshold of (different_ips per sasl_username) per
hour.
Unfortunately that just opens a DoS hole as an attacker who is attacking
a particular userID can stuff the log and lock out a legitimate user.
Unlike Google who gives out accounts for free I collect money for them
and so therefore unlike Google I can't just do whatever the eff I want
to them for no reason anytime I feel like.
That's WHY Google gives out free accounts. That, and they have enough
of them they can gather all that lovely marketing data by scraping
people's emails for keywords.
Ted
