On 22 November 2017 at 14:31, Vegard Svanberg <veg...@svanberg.no> wrote: > We have a few scripts in place to handle (outgoing) spam outbreaks. > > This works well, but we struggle a bit with one scenario where the > username and password are in the wild, and the spammer connects to the > email server and sends multiple emails through the same connection. > > Because even if we lock the account, the session is still active so they > can spam until the connection is terminated. > > The same scenario occurs if a botnet has set up multiple connections, > but the server is laggy or whatever so they've authenticated, but > haven't gotten to the "DATA" part of the SMTP dialogue yet (BTW: some > spambots appear to exhibit speculative behaviour here - as if they do > this on purpose). > > So... what's the recommended approach here? > > Is there an easy way to tear down specific (by a particular user) > connections?
Maybe you could create a fail2ban jail based on frequency of repetition of log entries of the multiple outgoing emails? Obviously you would have to find some reliable way to distinguish between the log entries generated by a spammer's mails and a genuine user's (which might be tricky if your genuine users might also send a lot of emails in a short space of time). Normally fail2ban is used for temporary IP blocking via iptables (but other actions are possible). Someone had a similar problem here: https://www.howtoforge.com/community/threads/postfix-dos-spam-attack.61196/
