Re: sasl spam?
1. limit the output throughput
1.1 If you use postfix, the package postfix-policyd can provide sender throttling
It uses its own database:
INSERT INTO throttle \
(_from,_count_max,_quota_max,_time_limit,_mail_size,_date,_priority)
VALUES (<sender>,
50, # maximum messages per time unit
250000000, # size in bytes (250 megs) (maximum is
2gig)
86400, # time unit in seconds (1 day)
10240000, # maximum message size (10 meg)
UNIX_TIMESTAMP(), # current time
<priority>);
<sender> can be
- "user@domain.com"
- "@domain.com"
- "192.168.0.1"
- "192.168.0.%"
- SASL username
So you can estimate the normal acceptable output rate and set a limit
per domain.
1.2 postfix transports
Estimate normal volume to gmail, yahoo, hotmail, ...
Configure max volume for the destination domains going to blacklist you.
Use destination_recipient_limit, initial_destination_concurrency,
destination_rate_delay, ... postfix configuration directives
2. Early alert
Automatic report of mail.log every 1/2 hour or so counting # of emails sent by
envelope sender and domain sender looking for high volumes
On Mon, Oct 07, 2013 at 03:42:15PM +0200, Marek Podmaka wrote:
> Hello all,
>
> During last week we had 2 different email accounts compromised and
> used to send thousands of spams via our mailserver. Users were
> authentificated via SASL and connections were from many different IPs
> (different countries), so it looks like some botnet. But both users
> had 8-chars random password, each IP is limited to only 5
> unsuccessfull SASL attempts via fail2ban, so I guess there must be
> some kind of virus in the wild which is stealing email passwords from
> users computers...
>
> I was thinking about limiting the number of different IPs user is
> allowed to login from during a timeframe (for example allow SASL from
> max. 10 IPs during a 60min sliding window). Is there any tool which
> could do that or I need to write it?
> Or what other countermeasures do you suggest? BTW, does postfix have a
> limit of no. of emails sent by sasl user (not by envelope sender), or
> by sender domain?
>
>
> --
> bYE, Marki
>
Reply to:
- References:
- sasl spam?
- From: Marek Podmaka <marki@marki-online.net>