Re: Blocking users sending spam

[Przemysław.Orzechowski]

On Tue, 15 Nov 2016 14:09:03 +0100, Volker Cordes 
wrote:
> Hello,
> 
> I just stopped our server from sending out spam mails. A password from
> one of our customers was hacked or somehow leaked so that the mails were
> sent by an authenticated user. Now I was wondering if it is possible to
> block users that authenticate themselves from a lot of different IP
> addresses in a short timespan or to implement blocking using
> geoip-services (99% of our customers are based in germany).
> 
> Thanks,
> Volker

hi

cbpolicyd and fiew other throttling solutions are effective (if the limits
are low enough to discourage spammers) 

besides of them im also using a script that traces ips from which user
logged in in a time limit and if threre are more ip addresses than set
limit user is locked out from sending mails
the script counts actually 2 things logins and amount of mails sent and
locks out user if limit for either one in a time window is exceeded 
Lockout is achived either by update to mysql table or by mosyfying postfix
check_sender_access file
unblocking is from commandline but its quite effective most of the time

Re: Blocking users sending spam

[Ralph Seichter]

On 15.11.2016 14:09, Volker Cordes wrote:

> I was wondering if it is possible to [...] implement blocking using
> geoip-services (99% of our customers are based in germany).

Will any of the users be travelling and/or utilizing anonymity networks
like Tor (see https://www.torproject.org/)? Tor exit nodes are scattered
across the globe, so blocking by GeoIP (which by the way is not always
exact) can potentially have a downside.

-Ralph

Re: Blocking users sending spam

[P.V.Anthony]

On 15/11/2016 21:09, Volker Cordes wrote:


I just stopped our server from sending out spam mails. A password from
one of our customers was hacked or somehow leaked so that the mails were
sent by an authenticated user. Now I was wondering if it is possible to
block users that authenticate themselves from a lot of different IP
addresses in a short timespan or to implement blocking using
geoip-services (99% of our customers are based in germany).


I use the following,

http://wiki.policyd.org/start

with the quota module activated.

Then there is this cron script (found from the internet) that sends an 
email to the administrator once the user starts sending more that 50% of 
the limit set.


#!/bin/bash
#parameters:
#  0.5 ... if counter is above 50% of the limit
#  timestampdiff() <= 1 ... seen in the last hour

#if there are no results the output is empty, otherwise cron sends the
#result per mail

echo "select TrackKey, FROM_UNIXTIME(LastUpdate) as LastSeen, Counter, 
CounterLimit, Counter / CounterLimit * 100 as Percentage from 
quotas_tracking left join quotas_limits on quotasLimitsID = 
quotas_limits.ID where Counter / CounterLimit > 0.5 and 
TIMESTAMPDIFF(HOUR, FROM_UNIXTIME(LastUpdate), CURRENT_TIMESTAMP()) <= 1 
order by counter desc;" | mysql --user=databaseuser --password=password 
database


P.V.Anthony







smime.p7s
Description: S/MIME Cryptographic Signature

Re: Blocking users sending spam

[Sebastian Nielsen]

I would say that GeoIP would be the best.
And those users that need to travel need to pre-request travelling access 
through a captcha-protected AND geoip restricted web interface prior to 
travelling. (but once opened, they can extend access out-of-country)

And then they need to specify time spent away. (which will be deducted from 
their total)

Also to prevent people from opening travel access without need, make it so they 
can open a maximum lets say TOTAL=30 days per 180 days.

Volker Cordes  skrev: (15 november 2016 14:09:03 CET)
>Hello,
>
>I just stopped our server from sending out spam mails. A password from
>one of our customers was hacked or somehow leaked so that the mails
>were
>sent by an authenticated user. Now I was wondering if it is possible to
>block users that authenticate themselves from a lot of different IP
>addresses in a short timespan or to implement blocking using
>geoip-services (99% of our customers are based in germany).
>
>Thanks,
>Volker


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Blocking users sending spam

[D'Arcy Cain]

On 2016-11-15 08:09 AM, Volker Cordes wrote:

Hello,

I just stopped our server from sending out spam mails. A password from
one of our customers was hacked or somehow leaked so that the mails were
sent by an authenticated user. Now I was wondering if it is possible to
block users that authenticate themselves from a lot of different IP
addresses in a short timespan or to implement blocking using
geoip-services (99% of our customers are based in germany).


I simply throttle my users.  We offer mailing list access (mailman) so 
there is hardly ever any reason to bulk send from a personal account.  I 
picked 100 as a reasonable number of messages to send in an hour and 
check the previous hour every 15 minutes.  If the above happens they get 
stopped very quickly.  I also get email so that I can deal with the 
user.  I let them know that I can temporarily whitelist them if they do 
have a legitimate need to send out a one time mass mailing.



--
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:da...@vex.net
VoIP: sip:da...@vex.net

Re: Blocking users sending spam

[Florian Piekert]

Am 15.11.2016 um 14:09 schrieb Volker Cordes:

Good afternoon Volker,
dear List.

We had a similar incident last year. What I then did was to parse the
logfiles on a daily basis to check where the logins occur from. We have a
customer base from Germany mainly (except business travelling people), so I
compiled a list of most probable ip ranges/dyn dialup domains, against whom
I grep -v the logfile entries and then get a mail each midnight of the ones
not matching those expectations.

I can see that geo blocking may be a solution, but with globally travelling
people it's not really an option. Same applies to a lot of changes of ips
(if they come from the same range, e.g. provider).

I know it's far from perfect, but from an 80:20 approach a good one. You can
probably put in (much) more effort to produce a maybe more reliable,
automated approch of some kind. And yes, it was a pure reactive measure and
ofcourse did not prevent setting off spams until we noticed (actually it
never happened since then, so I can't really tell)...

> Hello,
> 
> I just stopped our server from sending out spam mails. A password from
> one of our customers was hacked or somehow leaked so that the mails were
> sent by an authenticated user. Now I was wondering if it is possible to
> block users that authenticate themselves from a lot of different IP
> addresses in a short timespan or to implement blocking using
> geoip-services (99% of our customers are based in germany).
> 
> Thanks,
> Volker
> 
> 

===
Note:  this message was  send by me *only* if the  eMail message contains a
correct pgp signature corresponding to my address at  flo...@floppy.org. Do
you need my  PGP  public key? Check out http://www.floppy.org or send me an
email with  the subject "send pgp public key" to  this address of mine.Thx!



signature.asc
Description: OpenPGP digital signature

Blocking users sending spam

[Volker Cordes]

Hello,

I just stopped our server from sending out spam mails. A password from
one of our customers was hacked or somehow leaked so that the mails were
sent by an authenticated user. Now I was wondering if it is possible to
block users that authenticate themselves from a lot of different IP
addresses in a short timespan or to implement blocking using
geoip-services (99% of our customers are based in germany).

Thanks,
Volker