Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian ISP (http://www.linux-archive.org/debian-isp/)
-   -   sasl spam? (http://www.linux-archive.org/debian-isp/713544-sasl-spam.html)

Marek Podmaka 10-07-2013 01:42 PM

sasl spam?
 
Hello all,

During last week we had 2 different email accounts compromised and
used to send thousands of spams via our mailserver. Users were
authentificated via SASL and connections were from many different IPs
(different countries), so it looks like some botnet. But both users
had 8-chars random password, each IP is limited to only 5
unsuccessfull SASL attempts via fail2ban, so I guess there must be
some kind of virus in the wild which is stealing email passwords from
users computers...

I was thinking about limiting the number of different IPs user is
allowed to login from during a timeframe (for example allow SASL from
max. 10 IPs during a 60min sliding window). Is there any tool which
could do that or I need to write it?
Or what other countermeasures do you suggest? BTW, does postfix have a
limit of no. of emails sent by sasl user (not by envelope sender), or
by sender domain?


--
bYE, Marki


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1055097688.20131007154215@marki-online.net">http://lists.debian.org/1055097688.20131007154215@marki-online.net

Matus UHLAR - fantomas 10-07-2013 02:16 PM

sasl spam?
 
On 07.10.13 15:42, Marek Podmaka wrote:

During last week we had 2 different email accounts compromised and
used to send thousands of spams via our mailserver. Users were
authentificated via SASL and connections were from many different IPs
(different countries), so it looks like some botnet. But both users
had 8-chars random password, each IP is limited to only 5
unsuccessfull SASL attempts via fail2ban, so I guess there must be
some kind of virus in the wild which is stealing email passwords from
users computers...


do you require or at least provide SSL/TLS encryption for SMTP users?
While possibility of such malware is quite high (there was already malware
stealing FTP passwords), it may not be able to sniff on encrypted
connections

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20131007141632.GA9639@fantomas.sk">http://lists.debian.org/20131007141632.GA9639@fantomas.sk

Marek Podmaka 10-07-2013 02:55 PM

sasl spam?
 
Hello,

Monday, October 7, 2013, 16:16:32, Matus UHLAR - fantomas wrote:

> do you require or at least provide SSL/TLS encryption for SMTP users?
> While possibility of such malware is quite high (there was already malware
> stealing FTP passwords), it may not be able to sniff on encrypted
> connections

Of course we have smtp/pop3/imap also over ssl/startls, alhough I
don't have stats how many users do use it. Malware can redirect the
SMTP/IMAP connection to itself like many antivirus software does. Or
maybe it sniffs on the local network, but I don't guess it's very
effective in switched networks (hmm or maybe public wifi).

Good idea about requiring SSL/TLS. Is there any overview if there are
clients/mobile devices actively in use which don't support it? For
example will Outlook without SSL/TLS configured use it server will
require it?

BTW the FTP stealing is still a threat, if I remember it steals
passwords from Total Commander. That's why we enable FTP from exotic
countries (geoip) only on request.


--
bYE, Marki


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 302597851.20131007165552@marki-online.net">http://lists.debian.org/302597851.20131007165552@marki-online.net

Matus UHLAR - fantomas 10-07-2013 03:30 PM

sasl spam?
 
Monday, October 7, 2013, 16:16:32, Matus UHLAR - fantomas wrote:

do you require or at least provide SSL/TLS encryption for SMTP users?
While possibility of such malware is quite high (there was already malware
stealing FTP passwords), it may not be able to sniff on encrypted
connections


On 07.10.13 16:55, Marek Podmaka wrote:

Of course we have smtp/pop3/imap also over ssl/startls, alhough I
don't have stats how many users do use it.


with e.g. courier MTA you can allowed plaintext authentication only with
encyphered connection.


Malware can redirect the
SMTP/IMAP connection to itself like many antivirus software does.


Using proper certificates could detect the MITM attack.


Or maybe it sniffs on the local network, but I don't guess it's very
effective in switched networks (hmm or maybe public wifi).


that's it...


Good idea about requiring SSL/TLS. Is there any overview if there are
clients/mobile devices actively in use which don't support it? For
example will Outlook without SSL/TLS configured use it server will
require it?


I have no idea if some clients don't support encryption, but I think it
would be worth trying...


BTW the FTP stealing is still a threat, if I remember it steals
passwords from Total Commander. That's why we enable FTP from exotic
countries (geoip) only on request.


I haven't got to the requiring FTPS, since there aren't many clients
supporting that. However, if you provide scp/sftp access, it should be
already possible only to allow encyphered connections.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20131007153025.GA10559@fantomas.sk">http://lists.debian.org/20131007153025.GA10559@fantomas.sk

10-07-2013 04:13 PM

sasl spam?
 
1. limit the output throughput

1.1 If you use postfix, the package postfix-policyd can provide sender throttling

It uses its own database:

INSERT INTO throttle
(_from,_count_max,_quota_max,_time_limit,_mail_siz e,_date,_priority)
VALUES (<sender>,
50, # maximum messages per time unit
250000000, # size in bytes (250 megs) (maximum is
2gig)
86400, # time unit in seconds (1 day)
10240000, # maximum message size (10 meg)
UNIX_TIMESTAMP(), # current time
<priority>);

<sender> can be
- "user@domain.com"
- "@domain.com"
- "192.168.0.1"
- "192.168.0.%"
- SASL username

So you can estimate the normal acceptable output rate and set a limit
per domain.

1.2 postfix transports

Estimate normal volume to gmail, yahoo, hotmail, ...

Configure max volume for the destination domains going to blacklist you.
Use destination_recipient_limit, initial_destination_concurrency,
destination_rate_delay, ... postfix configuration directives

2. Early alert

Automatic report of mail.log every 1/2 hour or so counting # of emails sent by
envelope sender and domain sender looking for high volumes

On Mon, Oct 07, 2013 at 03:42:15PM +0200, Marek Podmaka wrote:
> Hello all,
>
> During last week we had 2 different email accounts compromised and
> used to send thousands of spams via our mailserver. Users were
> authentificated via SASL and connections were from many different IPs
> (different countries), so it looks like some botnet. But both users
> had 8-chars random password, each IP is limited to only 5
> unsuccessfull SASL attempts via fail2ban, so I guess there must be
> some kind of virus in the wild which is stealing email passwords from
> users computers...
>
> I was thinking about limiting the number of different IPs user is
> allowed to login from during a timeframe (for example allow SASL from
> max. 10 IPs during a 60min sliding window). Is there any tool which
> could do that or I need to write it?
> Or what other countermeasures do you suggest? BTW, does postfix have a
> limit of no. of emails sent by sasl user (not by envelope sender), or
> by sender domain?
>
>
> --
> bYE, Marki
>



--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20131007161314.GA5621@mx1.dyr.es">http://lists.debian.org/20131007161314.GA5621@mx1.dyr.es


All times are GMT. The time now is 07:09 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.