Natalio Gatti wrote:
On Mon, Apr 26, 2010 at 10:26 AM, Natalio Gatti <nga...@gmail.com
<mailto:nga...@gmail.com>> wrote:
Hi List.
I'm having a big spam problem. It seems that my users DB have been
compromised, and I'm receiving authenticated connections from
outside, that are used to send tons of spam. I have managed to
identify some users and changed there pwd. But as soon as I stop one
user, they start to use another.
Is there a way to forbid auth sessions on port 25? My clients use
submission port to send there messages.
I'm thinking to create to tcprules (one for port 25 and one for port
587). But I don't know how to match auth sessions inside tcprules.
I have read tcprules documentation and it does not seems to be able to
accomplish what I need.
I was thinking on an other way to stop these messages, so I started to
look at how these messages looks-like:
1) They are all coming from outside
2) They are all authenticated connection
3) They have forged and fifferents froms
4) They have different content
5) The have different destinations
So, I was thinking to attack point 3. Is there a way to control or
compare from-address with authenticated-address?
Pd: I have found that some users answer a mail asking for there
user/pwd! Social Engineering was the way to obtain my DB!!!
I think I would simply change the passwords as you find they've been
compromised. Either that or undertake a project to change all passwords.
Are you using spamdyke? If so, since all your users are authenticating,
you should blacklist your own domain(s) in the blacklist_senders file.
This seems counter intuitive, but it works since authenticated sessions
bypass all filters. This will keep outsiders from forging your domain,
which should help control phishing emails that solicit passwords.
You might also consider installing sane-security rules for clamav (see
qtp-install-sanesecurity script in QTP). That helps to reject some
phishing spams, although I don't know that it'll catch the ones that
have bitten you previously.
A little user education wouldn't hurt either. A well written email might
suffice.
--
-Eric 'shubes'
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
