On 03/03/20 08:54, Benny Pedersen wrote:
Ted Mittelstaedt skrev den 2020-03-03 08:26:
What do other people do for this problem?
Hi Ted,
<vendor>
What I can suggest you is to look at our DQS product
(https://www.spamhaustech.com/dqs/), that even in it's free subscription
model includes AuthBL, a list made of botnet's known to be used to spam
with abused credentials. A simple 5xx if a client connect to your
submission port using a listed IP would take care of *most* of your
problems.
</vendor>
After that, just running a daily report with a table like:
sasl_username - number of different ips observed in the latest 24h.
Can help you find out abused credentials that were being used by bots
(still) not in AuthBL.
I've observed in the field that this is an approach that works when you
have up to 20-30k users; after this threshold you may want to write
something to automate warnings and/or automatically block accounts if
they exceed a defined threshold of (different_ips per sasl_username) per
hour.
--
Best regards,
Riccardo Alfieri
Spamhaus Technology
https://www.spamhaustech.com/