sasl spam?

To: "debian-isp@lists.debian.org" <debian-isp@lists.debian.org>
Subject: sasl spam?
From: Marek Podmaka <marki@marki-online.net>
Date: Mon, 7 Oct 2013 15:42:15 +0200
Message-id: <[🔎] 1055097688.20131007154215@marki-online.net>
Reply-to: Marek Podmaka <marki@marki-online.net>

Hello all,

During last week we had 2 different email accounts compromised and
used to send thousands of spams via our mailserver. Users were
authentificated via SASL and connections were from many different IPs
(different countries), so it looks like some botnet. But both users
had 8-chars random password, each IP is limited to only 5
unsuccessfull SASL attempts via fail2ban, so I guess there must be
some kind of virus in the wild which is stealing email passwords from
users computers...

I was thinking about limiting the number of different IPs user is
allowed to login from during a timeframe (for example allow SASL from
max. 10 IPs during a 60min sliding window). Is there any tool which
could do that or I need to write it?
Or what other countermeasures do you suggest? BTW, does postfix have a
limit of no. of emails sent by sasl user (not by envelope sender), or
by sender domain?


-- 
  bYE, Marki

Reply to:

Follow-Ups:
- Re: sasl spam?
  - From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
- Re: sasl spam?
  - From: mjimenez@dyr.es

Next by Date: Re: sasl spam?
Next by thread: Re: sasl spam?
Index(es):
- Date
- Thread