Re: Blocking users sending spam
On Tue, 15 Nov 2016 14:09:03 +0100, Volker Cordeswrote: > Hello, > > I just stopped our server from sending out spam mails. A password from > one of our customers was hacked or somehow leaked so that the mails were > sent by an authenticated user. Now I was wondering if it is possible to > block users that authenticate themselves from a lot of different IP > addresses in a short timespan or to implement blocking using > geoip-services (99% of our customers are based in germany). > > Thanks, > Volker hi cbpolicyd and fiew other throttling solutions are effective (if the limits are low enough to discourage spammers) besides of them im also using a script that traces ips from which user logged in in a time limit and if threre are more ip addresses than set limit user is locked out from sending mails the script counts actually 2 things logins and amount of mails sent and locks out user if limit for either one in a time window is exceeded Lockout is achived either by update to mysql table or by mosyfying postfix check_sender_access file unblocking is from commandline but its quite effective most of the time
Re: Blocking users sending spam
On 15.11.2016 14:09, Volker Cordes wrote: > I was wondering if it is possible to [...] implement blocking using > geoip-services (99% of our customers are based in germany). Will any of the users be travelling and/or utilizing anonymity networks like Tor (see https://www.torproject.org/)? Tor exit nodes are scattered across the globe, so blocking by GeoIP (which by the way is not always exact) can potentially have a downside. -Ralph
Re: Blocking users sending spam
On 15/11/2016 21:09, Volker Cordes wrote: I just stopped our server from sending out spam mails. A password from one of our customers was hacked or somehow leaked so that the mails were sent by an authenticated user. Now I was wondering if it is possible to block users that authenticate themselves from a lot of different IP addresses in a short timespan or to implement blocking using geoip-services (99% of our customers are based in germany). I use the following, http://wiki.policyd.org/start with the quota module activated. Then there is this cron script (found from the internet) that sends an email to the administrator once the user starts sending more that 50% of the limit set. #!/bin/bash #parameters: # 0.5 ... if counter is above 50% of the limit # timestampdiff() <= 1 ... seen in the last hour #if there are no results the output is empty, otherwise cron sends the #result per mail echo "select TrackKey, FROM_UNIXTIME(LastUpdate) as LastSeen, Counter, CounterLimit, Counter / CounterLimit * 100 as Percentage from quotas_tracking left join quotas_limits on quotasLimitsID = quotas_limits.ID where Counter / CounterLimit > 0.5 and TIMESTAMPDIFF(HOUR, FROM_UNIXTIME(LastUpdate), CURRENT_TIMESTAMP()) <= 1 order by counter desc;" | mysql --user=databaseuser --password=password database P.V.Anthony smime.p7s Description: S/MIME Cryptographic Signature
Re: Blocking users sending spam
I would say that GeoIP would be the best. And those users that need to travel need to pre-request travelling access through a captcha-protected AND geoip restricted web interface prior to travelling. (but once opened, they can extend access out-of-country) And then they need to specify time spent away. (which will be deducted from their total) Also to prevent people from opening travel access without need, make it so they can open a maximum lets say TOTAL=30 days per 180 days. Volker Cordesskrev: (15 november 2016 14:09:03 CET) >Hello, > >I just stopped our server from sending out spam mails. A password from >one of our customers was hacked or somehow leaked so that the mails >were >sent by an authenticated user. Now I was wondering if it is possible to >block users that authenticate themselves from a lot of different IP >addresses in a short timespan or to implement blocking using >geoip-services (99% of our customers are based in germany). > >Thanks, >Volker smime.p7s Description: S/MIME Cryptographic Signature
Re: Blocking users sending spam
On 2016-11-15 08:09 AM, Volker Cordes wrote: Hello, I just stopped our server from sending out spam mails. A password from one of our customers was hacked or somehow leaked so that the mails were sent by an authenticated user. Now I was wondering if it is possible to block users that authenticate themselves from a lot of different IP addresses in a short timespan or to implement blocking using geoip-services (99% of our customers are based in germany). I simply throttle my users. We offer mailing list access (mailman) so there is hardly ever any reason to bulk send from a personal account. I picked 100 as a reasonable number of messages to send in an hour and check the previous hour every 15 minutes. If the above happens they get stopped very quickly. I also get email so that I can deal with the user. I let them know that I can temporarily whitelist them if they do have a legitimate need to send out a one time mass mailing. -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net
Re: Blocking users sending spam
Am 15.11.2016 um 14:09 schrieb Volker Cordes: Good afternoon Volker, dear List. We had a similar incident last year. What I then did was to parse the logfiles on a daily basis to check where the logins occur from. We have a customer base from Germany mainly (except business travelling people), so I compiled a list of most probable ip ranges/dyn dialup domains, against whom I grep -v the logfile entries and then get a mail each midnight of the ones not matching those expectations. I can see that geo blocking may be a solution, but with globally travelling people it's not really an option. Same applies to a lot of changes of ips (if they come from the same range, e.g. provider). I know it's far from perfect, but from an 80:20 approach a good one. You can probably put in (much) more effort to produce a maybe more reliable, automated approch of some kind. And yes, it was a pure reactive measure and ofcourse did not prevent setting off spams until we noticed (actually it never happened since then, so I can't really tell)... > Hello, > > I just stopped our server from sending out spam mails. A password from > one of our customers was hacked or somehow leaked so that the mails were > sent by an authenticated user. Now I was wondering if it is possible to > block users that authenticate themselves from a lot of different IP > addresses in a short timespan or to implement blocking using > geoip-services (99% of our customers are based in germany). > > Thanks, > Volker > > === Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx! signature.asc Description: OpenPGP digital signature
Blocking users sending spam
Hello, I just stopped our server from sending out spam mails. A password from one of our customers was hacked or somehow leaked so that the mails were sent by an authenticated user. Now I was wondering if it is possible to block users that authenticate themselves from a lot of different IP addresses in a short timespan or to implement blocking using geoip-services (99% of our customers are based in germany). Thanks, Volker