Hi, On Fri, Jul 12, 2024 at 09:44:09PM +0200, Marco Moock via mailop wrote: > Am 12.07.2024 um 12:36:10 Uhr schrieb Mark E. Jeftovic: > > You'd need to be able to break down which unit is generating the spam. > > I think abuse reports will be fine for that.
We typically want to identify the problem before abuse reports start coming in, as that can take hours to days and waiting will potentially allow hundreds of thousands of incidents of abuse. > You can use outgoing logging only for the port 25 (e.g. Cisco ACL > permit <src-IP> any eq 25 log Similarly netflow is one option. We export details of outbound SYN packets for setting up port 22 and 25 connections. An abnormal rate of this (i.e. abnormal per-customer rate of SSH/SMTP session creation) triggers alerts for a human to look in to. You also need to make customers aware of this because some legitimate uses of a VM will trigger it, such as penetration testing their own or their client's infrastructure, or doing a big email marketing campaign etc. It's fairly obvious if they have a big rate of connections to few IPs of a known email service provider; less so if they are doing the outbound mail themselves, which is rare but does happen. So they need to know to communicate their extreme deviations from the norm otherwise we would be too scared to ever take action. For us it is done with perl scripts querying an SQL database of ulogd2 data for the outbound port 22/25 SYN packets from the nftables firewall on each of our hypervisors. https://netfilter.org/projects/ulogd/index.html This could of course be extended to catch other forms of automated abuse but we haven't found it happens too often outside of SSH and SMTP. Most incidents are our customers being compromised by extremely simple brute force scanning efforts, not bad actors signing up. I'm sure big platforms are more targeted. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop