Re: sasl spam?

To: debian-isp@lists.debian.org
Subject: Re: sasl spam?
From: mjimenez@dyr.es
Date: Mon, 7 Oct 2013 18:13:14 +0200
Message-id: <[🔎] 20131007161314.GA5621@mx1.dyr.es>
In-reply-to: <[🔎] 1055097688.20131007154215@marki-online.net>
References: <[🔎] 1055097688.20131007154215@marki-online.net>

1. limit the output throughput

1.1 If you use postfix, the package postfix-policyd can provide sender throttling

It uses its own database:

INSERT INTO throttle \
 (_from,_count_max,_quota_max,_time_limit,_mail_size,_date,_priority)
 VALUES (<sender>,
          50,                # maximum messages per time unit
          250000000,         # size in bytes (250 megs) (maximum is
2gig)
          86400,             # time unit in seconds (1 day)
          10240000,          # maximum message size (10 meg)
          UNIX_TIMESTAMP(),  # current time
          <priority>);

<sender> can be 
- "user@domain.com"
- "@domain.com"
- "192.168.0.1"
- "192.168.0.%"
- SASL username

So you can estimate the normal acceptable output rate and set a limit
per domain.

1.2 postfix transports

Estimate normal volume to gmail, yahoo, hotmail, ...

Configure max volume for the destination domains going to blacklist you.
Use destination_recipient_limit, initial_destination_concurrency,
destination_rate_delay, ... postfix configuration directives

2. Early alert

Automatic report of mail.log every 1/2 hour or so counting # of emails sent by
envelope sender and domain sender looking for high volumes

On Mon, Oct 07, 2013 at 03:42:15PM +0200, Marek Podmaka wrote:
> Hello all,
> 
> During last week we had 2 different email accounts compromised and
> used to send thousands of spams via our mailserver. Users were
> authentificated via SASL and connections were from many different IPs
> (different countries), so it looks like some botnet. But both users
> had 8-chars random password, each IP is limited to only 5
> unsuccessfull SASL attempts via fail2ban, so I guess there must be
> some kind of virus in the wild which is stealing email passwords from
> users computers...
> 
> I was thinking about limiting the number of different IPs user is
> allowed to login from during a timeframe (for example allow SASL from
> max. 10 IPs during a 60min sliding window). Is there any tool which
> could do that or I need to write it?
> Or what other countermeasures do you suggest? BTW, does postfix have a
> limit of no. of emails sent by sasl user (not by envelope sender), or
> by sender domain?
> 
> 
> -- 
>   bYE, Marki
>

Reply to:

References:
- sasl spam?
  - From: Marek Podmaka <marki@marki-online.net>

Prev by Date: Re: sasl spam?
Next by Date: problem booting from with rootfs on RAID/LVM
Previous by thread: Re: sasl spam?
Next by thread: problem booting from with rootfs on RAID/LVM
Index(es):
- Date
- Thread