Re: Blocking compromised accounts (outgoing spam) and auth cracking

Sat, 18 Apr 2015 14:48:38 -0700

Yes I agree its annoying for your users, but sometimes convience needs to be sacrified for security. As I said, mail could be set up so receiving is allowed, and sending internal mail is allowed, but not sending outside, when "away from your home network". Its also possible to set up for example VPN accounts and similiar for travelling "VIP" users, so those "VIP" users can use cellphone mail, but regular users have to wait until they're home before replying on mail. By allowing receiving of mail from worldwide, its possible that a user can use a GMAIL account to reply to a mail when they are away. Webmail to be able to access abroad can be setup too. Preferably with strong OTP authentication.
Large mail providers like hotmail, gmail and such, can track user behaviour and find out if a known spammer logs into a gmail account, and thus block it off. This because they have a fairly large "view" of the internet and in practice knows most spammer IPs and ISPs, and can request extra verification via SMS for example, when a known spammer IP or suspicious country attempts to logon to a GMAIL account. 


For a small/medium corporation/organization or private mail, such its 
impossible, and thus its better to rely in whitelisting instead. 
Whitelisting countries, whitelisting ISP ranges and such, to ensure the end 
user's account not get compromised.




-----Ursprungligt meddelande----- 
From: Patrick Domack

Sent: Saturday, April 18, 2015 11:35 PM
To: postfix-users@postfix.org
Subject: Re: Blocking compromised accounts (outgoing spam) and auth cracking

This sounds painfully annoying.

I hope your uses never travel, take a vacation, or go on a work trip.

And it doesn't stop or help if the user gets a virus on their computer
that uses the local saved credentials on that computer, and also will
make cellphone mail completely unusable.


Quoting Sebastian Nielsen <sebast...@sebbe.eu>:


I think you are approaching this problem from the wrong end.

Instead of blocking compromised accounts, make sure they cannot be 
compromised.



For example: Configure your server to only accept authentication  from 
valid IPs, for example company internal ones, or implement  geoIP blocking 
so if your organization is located in Country X,  whitelist Country X and 
then disallow every other country to login.
Another thing to implement is IP-range restriction. You could  implement 
this as a policy service, where the first login of a new  user will record 
the IP-range the user's ISP is using (This can be  enumerated by either 
doing a whois lookup against the user's IP,
or doing a ASN lookup against the user's ASN number). This will  return a 
range like 94.185.80.0 - 94.185.87.255 for a small ISP or a  larger range 
like x.x.0.0 to x.x.255.255 for a larger ISP.
Once a user has logged in for the first time, his account will be  locked 
to the ISP he is currently using.



This will cut down on comrpomised accounts and spam very much, since  the 
user's username and password is worthless to anyone who don't  have the 
same ISP as the account's owner.
If you dont want to restrain your users too much, you can always  allow 
receiving of POP3/IMAP mail worldwide without IP restriction,  and also 
allow internal mail, but relayed mail is subject to the IP  restriction.


-----Ursprungligt meddelande----- From: Chuck Peters
Sent: Saturday, April 18, 2015 8:16 PM
To: postfix-users@postfix.org
Subject: Blocking compromised accounts (outgoing spam) and auth cracking




I'm researching migrating some Exim servers to Postfix and would  like to 
implement automatic blocking of compromised and spammers'  accounts with 
notifications to staff.  Any suggestions?



On the Exim user list today someone suggested 
https://github.com/Exim/exim/wiki/BlockCracking.


Blocking compromised accounts (outgoing spam) and auth cracking


Nowadays users' passwords often are stolen (with drive-by exploits, 
Windows malware, phishing) and used for spamming. Spam sent with 
authentication via your server causes it to be blacklisted without  notice 
and sometimes no appeal. Simple rate limiting authenticated  users 
constrains honest users while still allowing spam to trickle  through, 
your server still ends up in blacklists. Each server needs  automatic 
detection and blocking of compromised accounts (stolen  passwords). I 
amended and implemented (for Exim version 4.67 or  higher) Andrew Hearn's 
idea to check not rate of messages or all  recipients, but rate of 
attempts to send to nonexistent recipient  email addresses. Vast majority 
of spammers never try to validate  every recipient address. Spammers 
harvest strings looking like email  addresses from webpages and disks of 
trojaned Windowses, then sell  huge lists of email addresses to each 
other. These lists contain  very much email addresses which don't exist 
anymore or never  existed: Message-Ids, corrupted strings in memory and 
files. In  short, spammers' lists of email addresses are much dirtier than 
lists honest users send to. Honest users are very unlikely to  attempt to 
send to 100 nonexistent email addresses in one hour.  Below I explain in 
detail (for novices at Exim) what to change in  Exim config for automatic 
blocking of compromised and spammers'  accounts, with automatic email 
notification to sysadmin or your  abuse or support staff.

...


Thanks,
Chuck







Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to