Re: Question on early detection for relay spam

[M. Omer GOLGELI]

If password rotating is out of the question, you might want to check your IPs 
against blacklists multiple times at a day, it wouldn't stop it but it may 
notify you earlier to stop an outbreak.

Other thing that comes to mind is, you may try rate limiting your users and 
setup a cron to monitor the number of outgoing messages and notify you if 
there's a sudden surge of mail requests.





M. Omer GOLGELI
---
AS202365

  https://as202365.peeringdb.com 
  https://bgp.he.net/AS202365 

NOC:
 Phone: +90-533-2600533
 Email:  o...@chronos.com.tr


March 3, 2020 10:26 AM, "Ted Mittelstaedt"  wrote:

> I know this is probably off topic but I'm getting desperate enough to ask.
> 
> I run a commercial mailserver that regularly seems to have spammers relay 
> mail through it that have
> obtained stolen credentials for a user. Many years ago I stopped allowing 
> users to change passwords
> on it and I setup passwords for all users added to it, and the passwords are 
> random strings of 8
> characters or more.
> 
> The problem is of course that since the passwords are difficult to remember, 
> once the users do
> remember them they merrily proceed to use
> this "highly secure password that I can now remember" on every stupid
> website out on the Internet that they care to login to. The problem
> isn't really the people using Thunderbird or Outlook or their cell phones or 
> whatever, because they
> save the password in the email client and then immediately forget it, which 
> is what I want. It is
> the people who use the webmail interface on multiple different systems, kiosk
> computers and the like, who are the problem. When hosts out on the
> Internet get busted into, the spammers get their passwords and
> email addresses and start relaying. I've confirmed this with several
> users I've called and it's always the same story.
> 
> By the time I see what's going on the server is blacklisted everywhere
> and I have to waste time delisting it, and asskissing all of the
> little tiny blacklists run by little pricks who want me to pay money
> or wait a month to be delisted, etc. (no I'm NOT talking about
> spamcop, or barracuda or anyone professional - THEY know what they are
> doing and don't look at this as a chance for a shakedown)
> 
> I estimate that last year this happened around 5 times and I just
> lost an afternoon today answering the passle of help requests from
> users because it happened again.
> 
> What I am wondering is how to tighten up my monitoring on my servers to
> more rapidly identify when this starts happening. What I'm doing now is
> a kludge but I run mailq (this is a sendmail system) and when I see the
> number of pending mail mesages in there exceed a threshold I send an alert to 
> my cell. It is a
> kludge and the problem is that
> the mailq doesn't start filling up until my server gets blacklisted.
> 
> I've considered several ideas like running a script out of cron that
> checks the number of authid's per hour but all of these seem like even
> worse kludges. The only idea that I have come up with that I really
> like is taking an AK-47 to the spammers but unfortunately spammers
> know that they are unloved and cowardly hide away in Russia and scummier
> places and I can't reach 'em. (maybe I could offer a bounty? A nickle a head? 
> That would pay for
> the bullet at least. I don't think those people are worth even that, though)
> 
> I do run a daily sendmail statistics report but by the time I read that
> and see the bump in traffic it's too late.
> 
> What do other people do for this problem?
> 
> Ted

Re: Question on early detection for relay spam

[RW]

On Tue, 03 Mar 2020 16:05:31 -0800
Ted Mittelstaedt wrote:


> 2FA isn't going to help unless 2FA could be applied to the SMTP Auth
> port.  

Sometime 2FA on webmail is combined with separate autogenerated
passwords for pop/imap/submission.

Re: Question on early detection for relay spam

[Bill Cole]

On 4 Mar 2020, at 14:43, RW wrote:


On Tue, 03 Mar 2020 16:05:31 -0800
Ted Mittelstaedt wrote:



2FA isn't going to help unless 2FA could be applied to the SMTP Auth
port.


Sometime 2FA on webmail is combined with separate autogenerated
passwords for pop/imap/submission.


A.k.a. "application passwords" which people may be accustomed to as a 
feature of both Google's and Apple's 2FA implementations.


It is also possible to couple 2FA with OAuth 2.0 (as Google does) 
although that does put you in the position of forcing users to adopt 
MUAs that support OAuth 2.0.





--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Question on early detection for relay spam

[Rupert Gallagher]

Fails with travelling clients.

 Original Message 
On Mar 3, 2020, 16:49, Benny Pedersen wrote:

> Marc Roos skrev den 2020-03-03 16:15:
>> Use ipset, hardly causing any latency using 50k entries.
>
> i dont need to block 50k entries, but only whitelist few accepted client
> ips, where i resolve asn and open this specifik asn to have access, if
> there is abuse it will be removed so its again is blocked, i have tryed
> blockin 50k entries it failed maserable, for me it does not matter of
> ipsets or not was used
>
> keeping it tieght helps alot
>
> the log i showed was not from clients that already had access, so no
> need to block it
>
> if you know iptabels you dont need ipsets :=)

Re: Question on early detection for relay spam

[@lbutlr]

On 04 Mar 2020, at 16:27, Rupert Gallagher  wrote:
> Fails with travelling clients.

Depends. I block several countries from accessing my mail server. If someone 
travels to one of those countries, they can use webmail to access their mail.

There are always options.

However, most people simply use a VPN.

Re: Question on early detection for relay spam

[Benny Pedersen]

Rupert Gallagher skrev den 2020-03-05 00:27:

Fails with travelling clients.


my custommers want vacation without stress :=)