Sam, I agree, it would be excellent if the filters can be enabled with SMTP-AUTH.
On 09/04/13 08:58, Faris Raouf wrote: >> I have a doubt: >> If a user authenticates with SMTP auth. All filters are ignored? >> If true, Why? >> > All filters other than the reply delay (earlytalker filter) are, as far as > I'm aware, disabled when smtp authentication happens. > > But I was going to post about this too. I also would love the *option* to > enable filters even if there's authentication. Sam, please can you consider > this for a future version? > > I know it is unusual to want filtering enabled if there's authentication > going on. Let me explain why I want it: > > We get 100s of connections from botnets (almost every connection is from a > different IP, so fail2ban etc is no good) trying smtp auth dictionary > attacks. They also use username/password combos from hacked third party > sites (some of which made the news) where the password were not > encrypted/didn't have salt. > > In order to reduce the impact of such attacks, I want to block smtp auth > from certain countries - countries where we have no customers and therefore > nobody should be authenticating from them. These countries are where the > bulk of these attacks are coming from. Firewalling is not an option as there > are too many IPs involved. > > I already have an local dnsbl set up with country-specific IP ranges loaded, > which I already use in conjunction with mod_security on port 80 (and also > via spamdyke on port 25 ). But I want to use this on port 587 too, even when > someone authenticates correctly. > > Yes, I know, there is the potential for some issues -- what if a customer > goes on vacation to a country that I've blocked. But in general I'm willing > to risk this. > > I also want to block smtp auth if the connecting IP has no rDNS. I've been > looking at my logs, and not one single legitimate auth in the past 30 days > has come from an IP with no rDNS. But a reasonable proportion of botnet auth > attempts have come from IPs with no rDNS. > > So basically that's why I would like the option to enable the usual dnsbl, > rdns, etc etc filtering rules even if authentication happens. > > Ideally I'd like a special error message when there's a successful auth from > a "filtered" IP. This would immediately tell me that the bad guys most > likely have someone's real username/password combo, allowing me to change > the password on that account before any damage has occurred. > > In addition, please can there also be a time limit option on successful smtp > auth connections please? Last week I had a spammer who authenticated and > stayed connected for two and a half hours sending spam after spam (not too > much damage was done as I saw it happen and stopped the outgoing queue -- I > just got confused and didn't think to kill the qmail-smtpd process manually. > But that's another story). > > > > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Jorge R. Constenla j...@rednetgroup.com Director General ----------------------------- RED NET GROUP SA Internet Services Provider ----------------------------- Av. Cordoba 1318 Piso 14 "B" C1055AAQ, Capital Federal Buenos Aires - Argentina ----------------------------- Teléfono: (54 11) 4119.2000 Fax : (54 11) 4119.2005 http://www.rednet.com.ar _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users