You are not the only one, i think there is a new virus out there, that
stealls passwords and sends them to his owner...
Anyway, for those specific users you can disable smtp-auth with vmoduser
-s u...@domain.
After that call your users and tell them that you will reset their
passwords and ask them to get rid of viruses...
Igor
On 4/26/2010 6:02 PM, Natalio Gatti wrote:
On Mon, Apr 26, 2010 at 12:59 PM, South Computers
<i...@southcomputers.com <mailto:i...@southcomputers.com>> wrote:
Eric Shubert wrote:
Natalio Gatti wrote:
On Mon, Apr 26, 2010 at 10:26 AM, Natalio Gatti
<nga...@gmail.com <mailto:nga...@gmail.com>
<mailto:nga...@gmail.com <mailto:nga...@gmail.com>>> wrote:
Hi List.
I'm having a big spam problem. It seems that my users
DB have been
compromised, and I'm receiving authenticated
connections from
outside, that are used to send tons of spam. I have
managed to
identify some users and changed there pwd. But as soon
as I stop one
user, they start to use another.
Is there a way to forbid auth sessions on port 25? My
clients use
submission port to send there messages.
I'm thinking to create to tcprules (one for port 25 and
one for port
587). But I don't know how to match auth sessions
inside tcprules.
I have read tcprules documentation and it does not seems
to be able to accomplish what I need.
I was thinking on an other way to stop these messages, so
I started to look at how these messages looks-like:
1) They are all coming from outside
2) They are all authenticated connection
3) They have forged and fifferents froms
4) They have different content
5) The have different destinations
So, I was thinking to attack point 3. Is there a way to
control or compare from-address with authenticated-address?
Pd: I have found that some users answer a mail asking for
there user/pwd! Social Engineering was the way to obtain
my DB!!!
I think I would simply change the passwords as you find
they've been compromised. Either that or undertake a project
to change all passwords.
Are you using spamdyke? If so, since all your users are
authenticating, you should blacklist your own domain(s) in the
blacklist_senders file. This seems counter intuitive, but it
works since authenticated sessions bypass all filters. This
will keep outsiders from forging your domain, which should
help control phishing emails that solicit passwords.
You might also consider installing sane-security rules for
clamav (see qtp-install-sanesecurity script in QTP). That
helps to reject some phishing spams, although I don't know
that it'll catch the ones that have bitten you previously.
A little user education wouldn't hurt either. A well written
email might suffice.
Also, are they coming from a specific region? China, Korea, or?
Block the whole country with hosts.deny or iptables if so. Also, I
would change the password the admin for vqadmin if using it.
Perhaps they got access to it and printed out all the
usernames/passwords?
I'll see if I can nail them down to a specific area. Thanks.
