Re: [mailop] Best practices for VPS providers?
They best way is to address that in the egress router. Most routers nowadays can have alerts and triggers based on traffic, so simply create a router policy that sends an alert when too many tcp syn packets out from an IP attempt to connect to remote IPs on port 25. You can do this for many different ports of course, including port 465/587 etc.. to detect auth attacks from your VPS servers. On 7/12/24 12:36, Mark E. Jeftovic via mailop wrote: On 2024-07-12 2:21 PM, Marco Moock wrote: Am 12.07.2024 um 10:57:15 Uhr schrieb Mark E Jeftovic via mailop: Implement a policy that if big amounts of spam are going out you can immediately block outgoing port 25. Is there anything commonly used for monitoring the level of outbound SMTP? Or are vendors forcing all outbound through an egress server to scan everything, or homerolling wireshark, tcpdump, web flo scripts. You'd need to be able to break down which unit is generating the spam. - mark - Mark E. Jeftovic Co-founder & CEO easyDNS Technologies Inc. +1-(416)-535-8672 ext 225 /"Never expect a thing you do not want, and never desire a thing you do not expect." -- Bob Proctor / ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practices for VPS providers?
Hi, On Fri, Jul 12, 2024 at 09:44:09PM +0200, Marco Moock via mailop wrote: > Am 12.07.2024 um 12:36:10 Uhr schrieb Mark E. Jeftovic: > > You'd need to be able to break down which unit is generating the spam. > > I think abuse reports will be fine for that. We typically want to identify the problem before abuse reports start coming in, as that can take hours to days and waiting will potentially allow hundreds of thousands of incidents of abuse. > You can use outgoing logging only for the port 25 (e.g. Cisco ACL > permit any eq 25 log Similarly netflow is one option. We export details of outbound SYN packets for setting up port 22 and 25 connections. An abnormal rate of this (i.e. abnormal per-customer rate of SSH/SMTP session creation) triggers alerts for a human to look in to. You also need to make customers aware of this because some legitimate uses of a VM will trigger it, such as penetration testing their own or their client's infrastructure, or doing a big email marketing campaign etc. It's fairly obvious if they have a big rate of connections to few IPs of a known email service provider; less so if they are doing the outbound mail themselves, which is rare but does happen. So they need to know to communicate their extreme deviations from the norm otherwise we would be too scared to ever take action. For us it is done with perl scripts querying an SQL database of ulogd2 data for the outbound port 22/25 SYN packets from the nftables firewall on each of our hypervisors. https://netfilter.org/projects/ulogd/index.html This could of course be extended to catch other forms of automated abuse but we haven't found it happens too often outside of SSH and SMTP. Most incidents are our customers being compromised by extremely simple brute force scanning efforts, not bad actors signing up. I'm sure big platforms are more targeted. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practices for VPS providers?
On 2024-07-13 05:19, Mark E. Jeftovic via mailop wrote: I'm just wondering what the techniques are for monitoring this. This is how fastmail does: VadeSecure uses "fingerprints" to identify messages it thinks are spam. A "fingerprint" is any unique string in a message. They commonly include URLs, email addresses, telephone numbers and host names/IP addresses of sending machines. They can also include sufficiently unique text strings within a message. For this reason, VadeSecure may identify messages that include spam. So, for instance, if you are writing back to a friend and telling them that their account has been compromised, and you included the full text of the spam you received, your response still includes the "fingerprint," and may be flagged. We recommend contacting your friend without the full content of the message. -- Jeff Pang jeffp...@aol.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practices for VPS providers?
I'm just wondering what the techniques are for monitoring this. The cisco logging is one way to do it. I'll post more as I come across them On 2024-07-12 4:56 PM, Jeff Pang via mailop wrote: Some ISP monitor the outgoing messages for spam detection. For example, Cogent, if an IP sends some amount Spams (IIRC 10) they will charge the downstream VPS company $20. On 2024-07-13 03:36, Mark E. Jeftovic via mailop wrote: On 2024-07-12 2:21 PM, Marco Moock wrote: Am 12.07.2024 um 10:57:15 Uhr schrieb Mark E Jeftovic via mailop: Implement a policy that if big amounts of spam are going out you can immediately block outgoing port 25. Is there anything commonly used for monitoring the level of outbound SMTP? Or are vendors forcing all outbound through an egress server to scan everything, or homerolling wireshark, tcpdump, web flo scripts. You'd need to be able to break down which unit is generating the spam. - mark - Mark E. Jeftovic Co-founder & CEO easyDNS Technologies Inc. +1-(416)-535-8672 ext 225 /"Never expect a thing you do not want, and never desire a thing you do not expect." -- Bob Proctor / ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- Mark E. Jeftovic Co-founder & CEO easyDNS Technologies Inc. +1-(416)-535-8672 ext 225 /"Never expect a thing you do not want, and never desire a thing you do not expect." -- Bob Proctor /___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practices for VPS providers?
Some ISP monitor the outgoing messages for spam detection. For example, Cogent, if an IP sends some amount Spams (IIRC 10) they will charge the downstream VPS company $20. On 2024-07-13 03:36, Mark E. Jeftovic via mailop wrote: On 2024-07-12 2:21 PM, Marco Moock wrote: Am 12.07.2024 um 10:57:15 Uhr schrieb Mark E Jeftovic via mailop: Implement a policy that if big amounts of spam are going out you can immediately block outgoing port 25. Is there anything commonly used for monitoring the level of outbound SMTP? Or are vendors forcing all outbound through an egress server to scan everything, or homerolling wireshark, tcpdump, web flo scripts. You'd need to be able to break down which unit is generating the spam. - mark - Mark E. Jeftovic Co-founder & CEO easyDNS Technologies Inc. +1-(416)-535-8672 ext 225 /"Never expect a thing you do not want, and never desire a thing you do not expect." -- Bob Proctor / ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- Jeff Pang jeffp...@aol.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practices for VPS providers?
Am 12.07.2024 um 12:36:10 Uhr schrieb Mark E. Jeftovic: > On 2024-07-12 2:21 PM, Marco Moock wrote: > > Am 12.07.2024 um 10:57:15 Uhr schrieb Mark E Jeftovic via mailop: > > > > Implement a policy that if big amounts of spam are going out you can > > immediately block outgoing port 25. > Is there anything commonly used for monitoring the level of outbound > SMTP? Or are vendors forcing all outbound through an egress server to > scan everything, or homerolling wireshark, tcpdump, web flo scripts. > > You'd need to be able to break down which unit is generating the spam. I think abuse reports will be fine for that. You can use outgoing logging only for the port 25 (e.g. Cisco ACL permit any eq 25 log permit any any ) should provide you the logging. Then compare that with the abuse reports. I don't know an automatic mechanism, but implementing one should be possible. -- Gruß Marco Send unsolicited bulk mail to 1720780570mu...@cartoonies.org ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practices for VPS providers?
On 2024-07-12 2:21 PM, Marco Moock wrote: Am 12.07.2024 um 10:57:15 Uhr schrieb Mark E Jeftovic via mailop: Implement a policy that if big amounts of spam are going out you can immediately block outgoing port 25. Is there anything commonly used for monitoring the level of outbound SMTP? Or are vendors forcing all outbound through an egress server to scan everything, or homerolling wireshark, tcpdump, web flo scripts. You'd need to be able to break down which unit is generating the spam. - mark - Mark E. Jeftovic Co-founder & CEO easyDNS Technologies Inc. +1-(416)-535-8672 ext 225 /"Never expect a thing you do not want, and never desire a thing you do not expect." -- Bob Proctor /___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practices for VPS providers?
All of the providers with whom we are familiar block TCP Port 25 Outbound by default, either entirely, or, except to approved paid relaying partner-providers. If you want to send outbound email directly, there is an application/approval process to be followed. AWS over the past few months has become more strict in granting such approvals we have seen, and have recommended customers use AWS SES when they deny opening port 25 outbound -- which probably helps explain if only in part why we all are seeing more spam from AWS SES. Hope that helps, Mark -- _ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs - Original Message - | From: "Mark E Jeftovic via mailop" | To: "mailop" | Sent: Friday, July 12, 2024 1:57:15 PM | Subject: [mailop] Best practices for VPS providers? | The responsible cloud hosts thread has me wondering about the state of the art | of best practices for VPS providers | | When someone provisions a VPS there’s a danger that they’ll just spin up and | blast - if they’re using stolen credit cards, etc you can mitigate and filter | on that side using fraud detection methods (Stripe radar, etc) | | But let’s say they get a VM provisioned - now what? | | We do RBL checks on our VPS IPs but it takes some time for that to show up | | What about monitoring net flows out of the IP? Are there any modules or plugins | for the hyper vizors - or management panels (Proxmox ) to monitor? | | Are there any third party services? | | Thanks | | - mark | | Sent from my iPhone | ___ | mailop mailing list | mailop@mailop.org | https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practices for VPS providers?
Am 12.07.2024 um 10:57:15 Uhr schrieb Mark E Jeftovic via mailop: > But let’s say they get a VM provisioned - now what? Block outgoing connections to port 25 by default, tell that the customers and only enable it for users who intentionally want it. Implement a policy that if big amounts of spam are going out you can immediately block outgoing port 25. Also enable it only to users who want to buy the VPS for some months and make sure they prepay it. This will almost put off most spammers because they will have to pay more and just can't rent a machine for some hours. -- Gruß Marco Send unsolicited bulk mail to 1720774635mu...@cartoonies.org ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Best practices for VPS providers?
The responsible cloud hosts thread has me wondering about the state of the art of best practices for VPS providers When someone provisions a VPS there’s a danger that they’ll just spin up and blast - if they’re using stolen credit cards, etc you can mitigate and filter on that side using fraud detection methods (Stripe radar, etc) But let’s say they get a VM provisioned - now what? We do RBL checks on our VPS IPs but it takes some time for that to show up What about monitoring net flows out of the IP? Are there any modules or plugins for the hyper vizors - or management panels (Proxmox ) to monitor? Are there any third party services? Thanks - mark Sent from my iPhone ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop