Mailing List Archive: exim: users

Kick user - force disconnect authenticated sessions

Index | Next | Previous | View Threaded

mg at fork

Aug 7, 2013, 3:44 PM

Post #1 of 18 (54 views)
Permalink

Kick user - force disconnect authenticated sessions

Hi
I wonder if it's possible to disconnect all active sessions for given
authenticated user.

It would be used to close sessions used by accounts stolen by spammers.After
detecting unusual rate of mails from one account I lock it in database, freeze
all suspiciousmails in queue, send alert to postmasterand close all imap/pop3
sessions (with `doveadm kick user@`) - I'd like to close all SMTP sessions as
well (and do it quick!) but I don't know how to find them. Unfortunately
process_info log (like viewed by exiwhat) doesn't include authentication info.

Possible soultions that came to my mind (not really useful):
1. Extending set_process_info() calls but I'm afraid this could break some
scriptsusing exiwhat. Patch maintenance could be painful too...
2. Killing all exim processes (not acceptable for largerserverswith hundrets
of active sessions)
3. Parsing log files to find sessions (doesn't work because PIDs are not
logged for smtp child processes)
4. Parsing log files and blocking IPs on local firewall (parsing is i/o
hungry, long blacklist overhead on firewall, blacklist cleanup not so easy,
possible false positives including original account owner)

Can you advise different/better approach?

best regards

--
Marcin Gryszkalis, PGP 0x9F183FA3
jabber jid:mg [at] fork, gg:2532994

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mg at fork

Aug 8, 2013, 12:27 AM

Post #2 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

Cyborg wrote(a):
> sound very compilacted.
> iptables -A smtp -s {offendingip} -j REJECT
> Add a password change to it, as you always need to do that to keep
> them out and your done.

But I still would need to parse logs because usually the hijacked
account is abused by botnet with many different IPs spread around the
world. Parsing logs takes time and i/o.

regards
--
Marcin Gryszkalis, PGP 0x9F183FA3
jabber jid:mg [at] fork, gg:2532994

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users at spodhuis

Aug 8, 2013, 12:53 AM

Post #3 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On 2013-08-08 at 00:44 +0200, Marcin Gryszkalis wrote:
> It would be used to close sessions used by accounts stolen by spammers.After
> detecting unusual rate of mails from one account I lock it in database, freeze
> all suspiciousmails in queue, send alert to postmasterand close all imap/pop3
> sessions (with `doveadm kick user@`) - I'd like to close all SMTP sessions as
> well (and do it quick!) but I don't know how to find them. Unfortunately
> process_info log (like viewed by exiwhat) doesn't include authentication info.

log_selector = +pid +smtp_connection

Make sure that the authenticators use server_set_id to note the identity
of the client.

At this point, you only know about the authenticated users once they've
tried to send one email, but once they do, you have a log-line which
records with A=<authenticator>:$authenticated_id which user
authenticated to try to send the email (thus the need to use
server_set_id) and early in the log-line you have a [pid] field in
square brackets.

At that point, it's a grep/xargs problem, which you can script.
Something like this, untested, is the dangerous version:

#!/bin/sh
## HUGE CAVEAT: read below, danger using this on a busy system
userid="${1:?need a user id}"
shift
if [ $# -lt 1 ]; then
echo >&2 "$0: need at least one logfile"
exit 1
fi
for logfile
do
pcregrep '\bA=[^:]+:'"${userid} " "$logfile" | \
pcregrep -o '^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d \[\K\d+(?=\])'
done | xargs -t kill -v

However, on a busy mail-server, pids get recycled and used again.

Thus the +smtp_connection in the log_selector: this will tell you when
connections are made and when they're lost (whether by EOF or QUIT).

So a better solution will use the regular expressions as the starting
point in a log-processing script which notes the pids but removes them
from the candidate list when a log-line shows that the connection closes
(that line will also have the pid on it: pid is *consistently* logged,
when in the selector) and end up with "pids which have seen mail
authenticated as this user and for which we have not seen a connection
close".

That'll take slightly longer to write, so is left as an exercise for the
reader. :)

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users at lists

Aug 8, 2013, 2:17 AM

Post #4 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

* on the Thu, Aug 08, 2013 at 12:44:00AM +0200, Marcin Gryszkalis wrote:

> I wonder if it's possible to disconnect all active sessions for given
> authenticated user.

[snip]

> Can you advise different/better approach?

Couldn't you just perform a check in the pre-data acl
to see if the user has been blocked and perform a "drop" if
they have? It wouldn't give you an immediate disconnect, but
it would disconnect them as soon as they try to send another
email on an existing connection. Practically speaking, it
probably would drop connections just as fast as anything
else you come up with...

--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4

Attachments:

signature.asc (0.58 KB)

jgh at wizmail

Aug 8, 2013, 3:11 AM

Post #5 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On 08/08/13 10:17, Mike Cardwell wrote:
> * on the Thu, Aug 08, 2013 at 12:44:00AM +0200, Marcin Gryszkalis wrote:
>
>> I wonder if it's possible to disconnect all active sessions for given
>> authenticated user.
>
> [snip]
>
>> Can you advise different/better approach?
>
> Couldn't you just perform a check in the pre-data acl
> to see if the user has been blocked and perform a "drop" if
> they have?

You might also consider doing something special with the
user's queued items, in routing. And doing queue-only
on anyone sending at a high rate.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Lena at lena

Aug 8, 2013, 5:19 AM

Post #6 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

> From: Marcin Gryszkalis

> I wonder if it's possible to disconnect all active sessions for given
> authenticated user.

> It would be used to close sessions used by accounts stolen by spammers.

Do you already have compromised accounts blocked when automatically detected?
If no then automatic blocking of new RCPT commands for blocked account
(and dropping all already accepted recipients of the spam message which
was the last straw which triggered the detector) is better than nothing,
and I don't see much difference from killing connections.
Implement this at first: https://github.com/Exim/exim/wiki/BlockCracking
After it triggers, tell us whether it in fact did its job
and how much unfrozen spams via that compromised account in the queue
did you see. You'll see frozen spam, but I'm interested in
quantity of unfrozen.

> After detecting unusual rate of mails from one account

How much exactly and per what time period do you consider unusual?

> I lock it in database, freeze
> all suspiciousmails in queue, send alert to postmaster

The code linked above does all this.

> and close all imap/pop3
> sessions (with `doveadm kick user@`)

Did you ever see a botnet to use SMTP and IMAP/POP3 for the same account
simultaneously? For what?

> From: Mike Cardwell

> Couldn't you just perform a check in the pre-data acl
> to see if the user has been blocked and perform a "drop" if
> they have? It wouldn't give you an immediate disconnect, but
> it would disconnect them as soon as they try to send another
> email on an existing connection. Practically speaking, it
> probably would drop connections just as fast as anything
> else you come up with...

Yes, this is as good as instant killing of connections,
and better than parsing logs.
But I'm interested how many messages this will in fact drop.
If you are really sure that such botnet does in fact use
multiple simultaneous connections authenticated with the same account
then you can add to the code linked above:

acl_check_predata:
accept authenticated = *
condition = ${if exists{$spool_directory/blocked_authenticated_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_authenticated_users}{1}{0}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Authenticated-As: $acl_m_user

accept hosts = !@[] : +relay_from_hosts
condition = ${if exists{$spool_directory/blocked_relay_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_relay_users}{1}{0}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Relayed-From: $acl_m_user

accept

and same in acl_check_data (even less likely to catch some more).

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

frettled at gmail

Aug 8, 2013, 6:01 AM

Post #7 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On Thu, Aug 8, 2013 at 2:19 PM, <Lena [at] lena> wrote:

>
>
> Did you ever see a botnet to use SMTP and IMAP/POP3 for the same account
> simultaneously? For what?
>

I have not seen quite simultaneous use, but I have seen such use, yes.

Some botnets are used for spamming/phishing, and the IMAP/POP3 accounts are
used for taking care of responses from gullible users.

I thought that was a very common operation to run.
--
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mg at fork

Aug 8, 2013, 6:26 AM

Post #8 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On 2013-08-08 09:53, Phil Pennock wrote:
> log_selector = +pid +smtp_connection

great, didn't know about it.

> records with A=<authenticator>:$authenticated_id which user
> authenticated to try to send the email (thus the need to use
> server_set_id) and early in the log-line you have a [pid] field in
> square brackets.

As I dislike the idea of parsing log files (takes too long etc.) - but
another idea came to my mind after reading your advise - I can save
pair(pid,autenticated_id) to database with pid as unique key (to solve
pid reuse) and simple select+kill would do.

> (that line will also have the pid on it: pid is *consistently* logged,
> when in the selector) and end up with "pids which have seen mail
> authenticated as this user and for which we have not seen a connection
> close".

I'll log pids anyway for debug :)

regards
--
Marcin Gryszkalis, PGP 0x9F183FA3
jabber jid:mg [at] fork, gg:2532994

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mg at fork

Aug 8, 2013, 6:28 AM

Post #9 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On 2013-08-08 11:17, Mike Cardwell wrote:
> Couldn't you just perform a check in the pre-data acl
> to see if the user has been blocked and perform a "drop" if
> they have? It wouldn't give you an immediate disconnect, but
> it would disconnect them as soon as they try to send another
> email on an existing connection.

I'm already doing this but still wanted some improvement because of
the way bots work (I'll write more on the subject in next mail).

regards
--
Marcin Gryszkalis, PGP 0x9F183FA3
jabber jid:mg [at] fork, gg:2532994

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

frettled at gmail

Aug 8, 2013, 6:41 AM

Post #10 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On Thu, Aug 8, 2013 at 3:26 PM, Marcin Gryszkalis <mg [at] fork> wrote:

> As I dislike the idea of parsing log files (takes too long etc.) - but
> another idea came to my mind after reading your advise - I can save
> pair(pid,autenticated_id) to database with pid as unique key (to solve
> pid reuse) and simple select+kill would do.

You would also have to check that the process is an exim process, and you
should probably check that the process you want to kill belongs to the exim
user.

If this is a Linux, chances are that you can get the message identificator
from ps, too:

$ ps -o cmd -p 17940
/usr/sbin/exim4 -Mc 1V7QMJ-0005WT-CR

So here's my idea on how to check this reasonably reliably:

1) Ensure that the PID isn't re-used while you work: kill -STOP $pid
2) Check that $pid is the right process given the information in e.g. "ps
-o cmd -p $pid"
3) Send it an uninterruptable kill signal: kill -KILL $pid
4) Resume to actually have it killed: kill -CONT $pid

Please note that kill -KILL is very brutal, and gives the process no chance
to clean up its state. This may be what you desire if it is very important
that exim doesn't get to do its job.

--
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mg at fork

Aug 8, 2013, 7:03 AM

Post #11 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On 2013-08-08 14:19, Lena [at] lena wrote:
>> It would be used to close sessions used by accounts stolen by
>> spammers.
>
> Do you already have compromised accounts blocked when automatically
> detected?

yes

> If no then automatic blocking of new RCPT commands for blocked account
> (and dropping all already accepted recipients of the spam message which
> was the last straw which triggered the detector) is better than
> nothing,
> and I don't see much difference from killing connections.

I think I may see difference (see below)

> Implement this at first:
> https://github.com/Exim/exim/wiki/BlockCracking

Thanks, I'll look at this tonight.

>> After detecting unusual rate of mails from one account
>
> How much exactly and per what time period do you consider unusual?

I'm doing simple statistics, ie. I keep counters in database (aggregated
for day and account):
mails, traffic size and recipients number. So I can see that this
particular user sends for
example average of 10 mails per day (averaged over 30 days). If I see
500% increase in number
of mails sent then it means that something's wrong.

I also have some static thresholds (like 1000 recipients/day) for cases
when above statistics fail.

> Did you ever see a botnet to use SMTP and IMAP/POP3 for the same
> account
> simultaneously? For what?

I've seen bots gathering valid recipients from victim's mailbox (this is
what I guess - they just
checked headers for all emails).

> But I'm interested how many messages this will in fact drop.
> If you are really sure that such botnet does in fact use
> multiple simultaneous connections authenticated with the same account
> then you can add to the code linked above:

I'm sure, recently I've seen something like 20+ simultaneous connection
attempts from different IPs.
Even worse - it looked a bit similar to ssh-dictionary-attack bots:
every bot/ip was used to send
no more than 1-3 mails.

best regards
--
Marcin Gryszkalis, PGP 0x9F183FA3
jabber jid:mg [at] fork, gg:2532994

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mg at fork

Aug 8, 2013, 7:09 AM

Post #12 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On 2013-08-08 15:41, Jan Ingvoldstad wrote:
> $ ps -o cmd -p 17940
> /usr/sbin/exim4 -Mc 1V7QMJ-0005WT-CR

You're right - pid could be reused by different application.
Though I think it would be faster to do simple stat call for /proc/17940

> Please note that kill -KILL is very brutal, and gives the process no
> chance
> to clean up its state. This may be what you desire if it is very
> important
> that exim doesn't get to do its job.

I planned to check if exim closes more-less immediately (but still with
proper cleanup) on SIGTERM.

regards
--
Marcin Gryszkalis, PGP 0x9F183FA3
jabber jid:mg [at] fork, gg:2532994

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

jrg at acm

Aug 8, 2013, 7:19 AM

Post #13 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On 08/08/2013 15:09, Marcin Gryszkalis wrote:
> You're right - pid could be reused by different application.
> Though I think it would be faster to do simple stat call for /proc/17940

just send the kill signal as the Exim user. Then you don't need to worry too
much about whether it's stopped being an Exim process.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

frettled at gmail

Aug 8, 2013, 7:27 AM

Post #14 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On Thu, Aug 8, 2013 at 4:19 PM, James R Grinter <jrg [at] acm> wrote:

>
> just send the kill signal as the Exim user. Then you don't need to worry
> too much about whether it's stopped being an Exim process.
>

You still need to worry about it being another Exim process.

This may cause undesired side effects for legitimate users.
--
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

tlyons at ivenue

Aug 8, 2013, 9:46 AM

Post #15 of 18 (52 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On Thu, Aug 8, 2013 at 7:03 AM, Marcin Gryszkalis <mg [at] fork> wrote:
>> Implement this at first: https://github.com/Exim/exim/wiki/BlockCracking
> Thanks, I'll look at this tonight.

The exim configuration above will get rid of nearly all of your issues.

>>> After detecting unusual rate of mails from one account
>> How much exactly and per what time period do you consider unusual?
> I'm doing simple statistics, ie. I keep counters in database (aggregated for
> day and account):
> mails, traffic size and recipients number. So I can see that this particular
> user sends for
> example average of 10 mails per day (averaged over 30 days). If I see 500%
> increase in number
> of mails sent then it means that something's wrong.
> I also have some static thresholds (like 1000 recipients/day) for cases when
> above statistics fail.

Behavior of the abuse source indicates what's ultimately doing it

1) Multiple IP's send with SMTP Auth, more than N ip addresses per
$INTERVAL. Typical of a botnet. How did the botnet get the
user/pass? Could be trojan on his windows machine. Could be your
pop/imap servers don't detect and/or block brute force. Could be your
smtp auth servers don't detect and/or block brute force. (The URL
authored by Lena will solve MUCH of this for you).

2) One single IP sends with SMTP Auth, more than N messages per
$INTERVAL. Typical of a spamware trojan on the customer's computer.

2b) One single IP sends with SMTP Auth, more than N messages per connection.

>> Did you ever see a botnet to use SMTP and IMAP/POP3 for the same account
>> simultaneously? For what?

No, not noticed, but...

> I've seen bots gathering valid recipients from victim's mailbox (this is
> what I guess - they just
> checked headers for all emails).

I never looked for this particular signal. I'll pay attention in the future.

>> But I'm interested how many messages this will in fact drop.
>> If you are really sure that such botnet does in fact use
>> multiple simultaneous connections authenticated with the same account
>> then you can add to the code linked above:

Here is a typical botnet abused account for me:

2013-08-01 -> mailbox joe [at] OBFUSCATED: (13)
109.162.53.114 => 1
113.179.7.245 => 1
178.127.206.42 => 1
178.172.228.184 => 1
178.45.98.44 => 1
212.76.21.55 => 1
213.111.169.21 => 1
37.212.92.153 => 1
37.45.134.250 => 1
37.45.202.213 => 1
46.28.69.81 => 1
77.121.250.77 => 1
84.238.189.212 => 1
Last connection from 77.121.250.77 at 11:59:03

> I'm sure, recently I've seen something like 20+ simultaneous connection
> attempts from different IPs.
> Even worse - it looked a bit similar to ssh-dictionary-attack bots: every
> bot/ip was used to send
> no more than 1-3 mails.

I see that too. They keep the number of emails per session down so
that it doesn't trip other types of spam detection (i.e. 2b above).

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users at spodhuis

Aug 8, 2013, 11:27 AM

Post #16 of 18 (37 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On 2013-08-08 at 15:26 +0200, Marcin Gryszkalis wrote:
> On 2013-08-08 09:53, Phil Pennock wrote:
> > records with A=<authenticator>:$authenticated_id which user
> > authenticated to try to send the email (thus the need to use
> > server_set_id) and early in the log-line you have a [pid] field in
> > square brackets.
>
> As I dislike the idea of parsing log files (takes too long etc.) - but
> another idea came to my mind after reading your advise - I can save
> pair(pid,autenticated_id) to database with pid as unique key (to solve
> pid reuse) and simple select+kill would do.

That only works if all processes reachable by the killer are receiver
processes. Otherwise, a process forked to be a transport for delivery,
for instance, becomes susceptible to killing.

So it's not even worth worrying about "unauthenticated inbound-to-MX"
connections or killing the daemon -- the DB you propose would be
incomplete.

If your C is decent, you might add support to Exim for evaluating a
string as a post-condition in the daemon after reaping a child process,
with the child process pid in an expansion variable, such that you could
say:
daemon_post_incoming = ${lookup sqlite {AUTHPIDSDBFILE \
DELETE FROM auth_pids WHERE pid='${quote_sqlite:$reaped_pid}'}}

This then only assumes that the daemon will be scheduled and run for
long enough to evaluate reaped child hooks, before the pid space is
cycled. Given that there will be a blocking zombie until you get the
pid reaped, that's a very small window which should be safe in all but
the most exotic of scheduling snafus.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

jasen at xnet

Aug 9, 2013, 5:17 PM

Post #17 of 18 (35 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On 2013-08-07, Marcin Gryszkalis <mg [at] fork> wrote:
> Hi
> I wonder if it's possible to disconnect all active sessions for given
> authenticated user.
>
> It would be used to close sessions used by accounts stolen by spammers.After
> detecting unusual rate of mails from one account I lock it in database, freeze
> all suspiciousmails in queue, send alert to postmasterand close all imap/pop3
> sessions (with `doveadm kick user@`) - I'd like to close all SMTP sessions as
> well (and do it quick!) but I don't know how to find them. Unfortunately
> process_info log (like viewed by exiwhat) doesn't include authentication info.
[...]
> Can you advise different/better approach?

Does it matter if they can connect if having connected they can't
submit any mail?

can you add a conditon in the PREDATA, MAIL and/or RCPT acls that checks
for a flag-file ( eg: /home/$auth_user/.allowed-to-send )

how does dovecot indicate a user has been banned, exim can probably check for
that condition before accepting the email.

--
⚂⚃ 100% natural

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

jasen at xnet

Aug 9, 2013, 5:26 PM

Post #18 of 18 (36 views)
Permalink

Re: Kick user - force disconnect authenticated sessions [In reply to]

On 2013-08-08, Lena [at] lena <Lena [at] lena> wrote:
>> From: Marcin Gryszkalis
>
>> I wonder if it's possible to disconnect all active sessions for given
>> authenticated user.
>
>> It would be used to close sessions used by accounts stolen by spammers.
>
> Do you already have compromised accounts blocked when automatically detected?
> If no then automatic blocking of new RCPT commands for blocked account
> (and dropping all already accepted recipients of the spam message which
> was the last straw which triggered the detector) is better than nothing,
> and I don't see much difference from killing connections.
> Implement this at first: https://github.com/Exim/exim/wiki/BlockCracking
> After it triggers, tell us whether it in fact did its job
> and how much unfrozen spams via that compromised account in the queue
> did you see. You'll see frozen spam, but I'm interested in
> quantity of unfrozen.
>
>> After detecting unusual rate of mails from one account
>
> How much exactly and per what time period do you consider unusual?
>
>> I lock it in database, freeze
>> all suspiciousmails in queue, send alert to postmaster
>
> The code linked above does all this.
>
>> and close all imap/pop3
>> sessions (with `doveadm kick user@`)
>
> Did you ever see a botnet to use SMTP and IMAP/POP3 for the same account
> simultaneously? For what?

I've seen them use dictionary attacks against POP3 to get passwords for
SMTP-AUTH (or presumably for SMTP-after-POP3)

--
⚂⚃ 100% natural

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads