>> On 10.08.09 14:56, Charles Gregory wrote:
>>> Not at all. I know who logs on when, and I can easily disable their
>>> access.
> On Tue, 11 Aug 2009, Matus UHLAR - fantomas wrote:
>> I should made that more clear: If there are more _concurrent_ users on
>> the same IP (home/office network with NAT), you only can block them all
>> or none of them. Even if they have separate mailboxes. You need SMTP
>> auth to be able to block only the spamming one.
On 11.08.09 10:58, Charles Gregory wrote:
> (nod) You are correct, though on our net this is a rare situation
depends :)
> Though again, I ask the question, for those who have tried it both ways,
> is my seat-of-the-pants guess that theft of a password and illegitimate
> use from third party locations a greater or lesser risk than this?
I wrote that two messages ago in this thread: we've had much more problems
with users spamming from our IP range w/o auth than from other IP's,
authenticated
>> Don't you even run webmail being accessible from outside your network?
>
> (nod) Of course. And *that* is actually the promoted alternative for
> people 'roaming' outside our network. Again, I could be wrong, and would
> welcome input on this, but my feeling is that a webmail interface is a lot
> more trouble for a spammer to write scripts for?
I wouldn't say so. We've have many problems with users spamming through
webmail year and half ago... luckily even webmails allow to limit number of
messages sent.
And we have suffered from these much more than from spamming via
authenticated SMTP...
>> I found it out that it's much safer to ask everyone to authenticate, it
>> makes problem with more-or-less anonymous IP addresses (nearly) disappear.
>
> (nod again) The key word being 'anonymous'. I would be forced to choose
> SMTP-AUTH and require it for all clients if I could not identify who was
> connecting. :)
with SMTP auth you can see that from logs/messages, and don't need to search
external sources (radius)...
>> .... Luckily many phishes are detectable by SA or ClamAV.
> Which leads to another question. Has anyone written a really *good*
> generic rule for these phishes? Trouble is, legitimate users could send
> 'forms' via mail with many of the headers I might test. But I notice they
> all come from odd phone numbers or freemail addresses, so I'm working
> with that, but the variability of the 'information' lines is annoying.
> Anyone got a good generic 'spotter' set of rules/meta?
Good question too... if not anybody, I hope I'll have the time to check for
that...
something like
/dear\s+${COMPANY}\s+(internet|webmail)\s+user/i
>> I think I'll take all phishes that come onto our company's mailboxes and
>> will try to create some filters...
>
> LOL - Shoulda kept reading.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
