As you scale up, tools like LogStash and ElasticSearch and/or Splunk become important in the fight. We deal with tens of millions of messages a day and would absolutely die without good log indexing and search capabilities.
I recall a talk by the former Anti-spam Czar at Yahoo! He stressed the importance of building both fast and slow abuse prevention tactics into your system. Fast tactics include things like rate limiting, content filtering, and recipient validation. Slow tactics involve analysis of historical logs to look for longer term patterns of abuse. You can get arbitrarily sophisticated at both the slow and fast ends of the spectrum. Another thing we have found very useful is to send different kinds of outbound email traffic out of different IP addresses. For example, send your PHP script email out of one IP, and your webmail email out of another IP address. You might further want to have email from within your network go out through one IP, and email from users logged in from overseas flow out through another. Email receivers will learn from the type of email that comes out of each IP, and treat each stream accordingly, which can reduce your likelihood of running in to blacklist problems. Good luck - this is a huge challenge. Regards, Ken On Tue, May 27, 2014 at 2:30 PM, Bertrand Cherrier <[email protected] > wrote: > Hi Paul, > > I’m dealing with this on a daily basis :( > My solution (not the perfect one !) is to allow only auth on > TLS/submission (port 587) from outside our IP range for relay. > After only a few days, the problem came back. > I’ve applied a rate limit to 2 email per minute for relay request outside > our IP range. > > I still monitor compromised smtp account so I can reset the customer > password. > But I’m done with playing with outbound smtp server while requesting to be > de-listed from blacklist ! > > Hope this helps ... > > Le 28 mai 2014 à 05:03, Paul Warren <[email protected]> a écrit : > > > We're seeing a growing problem of spam being sent through our servers > using compromised authenticated SMTP credentials. > > > > We suspect that the credentials are being stolen using malware on the > users' computers (over which we have no control). > > > > Obviously we block the accounts as quickly as possible once we become > aware of the problem, but typically by this point we'll be on multiple > blacklists. > > > > Does anyone have any suggestions for detecting and blocking, or at least > limiting the impact of, such attacks? > > > > We're currently considering rate-limiting, or trying to detect where a > single user is using multiple IPs in quick succession. > > > > thanks, > > > > Paul > > > > > > -- > > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > > ## Exim details at http://www.exim.org/ > > ## Please use the Wiki with this list - http://wiki.exim.org/ > > > > > Bertrand Cherrier, Administrateur Systèmes > [email protected] www.mls.nc > @micrologicnc Sur facebook > > Téléphone: 24 99 24 > VoIP: 65 24 99 24 > Service Clientèle: 36 67 76 (58F/min) > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > -- *Ken Simpson*, CEO MailChannels Tel: *604-685-7488* www.mailchannels.com twitter.com/ttul* | *ca.linkedin.com/in/ksimpson -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
