On Fri, Nov 7, 2014 at 11:13 AM, Patrick von der Hagen <[email protected]> wrote: > Hi all, > > I've been having issues with compromised accounts used to send spam via > authenticated connections to my servers. Don't ask me how those people > lost their passwords, but they did. > Now I'm looking for ideas how to identify issues faster. One of them is
I classify compromised accounts in two ways: 1) Customer clicked something and spam cannon is now running on his computer 2) Customer's user/pass got obtained by something and distributed to a botnet, which has bot clients all over the world using that account through your mail servers. Your solution addresses the first scenario. One thing you can do to address and identify the second scenario is track how many different IP addresses a single account connects from to send email using SMTP Auth. A clear sign is when an account that normally connects from about 3 or 4 unique /24's (phone on cellular network, phone/laptop on wifi at home, phone/laptop on wifi at work, laptop from coffee shop, for example). You also have to take into account (the script below does not really) that some mobile systems are older, and periods of inactivity result in the IP lease expiring. Then the next time the phone connects using cellular data to check mail, it gets a new IP, usually very close to the last one it had. This is when tracking things per /24 would be most useful to prevent false positives. Start with something like this that will scan the exim logs looking for connections that have been connected to from many more than some limit you set. Then you can block them if you choose by changing the password of the compromised account, and have someone contact them out-of-band. http://downloads.mrball.net/Linux/Exim/detect_hacked_smtp_auth_conns.pl I really should put that up on github, I guess. One day, just not right now. ...Todd -- The total budget at all receivers for solving senders' problems is $0. If you want them to accept your mail and manage it the way you want, send it the way the spec says to. --John Levine -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
