On Mon, Apr 26, 2010 at 12:59 PM, South Computers <i...@southcomputers.com>wrote:
> Eric Shubert wrote: > >> Natalio Gatti wrote: >> >>> On Mon, Apr 26, 2010 at 10:26 AM, Natalio Gatti <nga...@gmail.com<mailto: >>> nga...@gmail.com>> wrote: >>> >>> Hi List. >>> I'm having a big spam problem. It seems that my users DB have been >>> compromised, and I'm receiving authenticated connections from >>> outside, that are used to send tons of spam. I have managed to >>> identify some users and changed there pwd. But as soon as I stop one >>> user, they start to use another. >>> Is there a way to forbid auth sessions on port 25? My clients use >>> submission port to send there messages. >>> I'm thinking to create to tcprules (one for port 25 and one for port >>> 587). But I don't know how to match auth sessions inside tcprules. >>> >>> I have read tcprules documentation and it does not seems to be able to >>> accomplish what I need. >>> I was thinking on an other way to stop these messages, so I started to >>> look at how these messages looks-like: >>> 1) They are all coming from outside >>> 2) They are all authenticated connection >>> 3) They have forged and fifferents froms >>> 4) They have different content >>> 5) The have different destinations >>> So, I was thinking to attack point 3. Is there a way to control or >>> compare from-address with authenticated-address? >>> Pd: I have found that some users answer a mail asking for there >>> user/pwd! Social Engineering was the way to obtain my DB!!! >>> >> >> I think I would simply change the passwords as you find they've been >> compromised. Either that or undertake a project to change all passwords. >> >> Are you using spamdyke? If so, since all your users are authenticating, >> you should blacklist your own domain(s) in the blacklist_senders file. This >> seems counter intuitive, but it works since authenticated sessions bypass >> all filters. This will keep outsiders from forging your domain, which should >> help control phishing emails that solicit passwords. >> >> You might also consider installing sane-security rules for clamav (see >> qtp-install-sanesecurity script in QTP). That helps to reject some phishing >> spams, although I don't know that it'll catch the ones that have bitten you >> previously. >> >> A little user education wouldn't hurt either. A well written email might >> suffice. >> > > > Also, are they coming from a specific region? China, Korea, or? Block the > whole country with hosts.deny or iptables if so. Also, I would change the > password the admin for vqadmin if using it. Perhaps they got access to it > and printed out all the usernames/passwords? > > I'll see if I can nail them down to a specific area. Thanks.