Hi All The topic "Spam sent over infected or malconfigured enduser pc's" will become an big issue. We saw Virus' sending Spam directly from the users pc, downloading the recipient list and the payload trough HTTP from the web. How will you deal with the problem, that one user can flood your SMTP Server with tousends of emails within 10-20 minutes? Opinions, Suggestions? thanks, michel
Michel Renfer writes on 12/2/2003 12:50 PM:
How will you deal with the problem, that one user can flood your SMTP Server with tousends of emails within 10-20 minutes?
Virus filtering Rate limit (+ script to auto terminate user) and smtp auth on outbounds Separate inbound and outbound smtp relay. Don't let your inbound MX relay for your dialup pool (some trojans take the rDNS name / hostname of the infected box and do nslookup -q=mx domainname) Ask AOL for an scomp@aol.net feed - a lot of these trojan spams seem to target AOL users. etc -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
----- Original Message ----- From: "Suresh Ramasubramanian" <suresh@outblaze.com> To: "Michel Renfer" <michel.renfer@lan.ch> Cc: <nanog@merit.edu> Sent: Tuesday, December 02, 2003 2:23 PM Subject: Re: SPAM from own customers
Virus filtering
Rate limit (+ script to auto terminate user) and smtp auth on outbounds
SMTP AUTH is becoming risky if its not carefully setup and monitored. I can name one big time spammer who has warmed up to cracking weak passwords on e-mail systems that do SMTP AUTH. Means you'd have to filter your outbound mail servers port 25 from anyone not inside your network or a trusted source. Virus filtering is a must, but, alas, not all mail servers filter *outgoing* mail. Most filter only incoming mail. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
On Tue, 2 Dec 2003 14:32:16 -0500 Brian Bruns <bruns@2mbit.com> wrote:
SMTP AUTH is becoming risky if its not carefully setup and monitored. I can name one big time spammer who has warmed up to cracking weak passwords on e-mail systems that do SMTP AUTH. Means you'd have to filter your outbound mail servers port 25 from anyone not inside your network or a trusted source.
not just weak passwords, but there are also obvious default, admin, and guest accounts on some SMTP servers which are sitting there, easily guessed, and they are indeed being taken advantage of. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Ask AOL for an scomp@aol.net feed - a lot of these trojan spams seem to target AOL users.
Something to be aware of with the AOL scomp feed...any time one of your users sends a message with no To address, and everyone in the BCC or CC fields, it will generate a notification to the e-mail address you've registered with them. We have caught some spam originating from our network through the feed, but for the most part it's mostly legitimate mail. Thanks, Adam Debus Network Engineer, ReachONE Internet adam@reachone.com
Michel Renfer wrote:
Hi All
The topic "Spam sent over infected or malconfigured enduser pc's" will become an big issue. We saw Virus' sending Spam directly from the users pc, downloading the recipient list and the payload trough HTTP from the web.
How will you deal with the problem, that one user can flood your SMTP Server with tousends of emails within 10-20 minutes?
In addition to the other suggestions, scanning the CBL (cbl.abuseat.org) for your own IPs is useful from an operational standpoint to find open proxies and trojans. On a similar vein, detecting customer IPs trying to connect to 47.129.25.87 on port 25 (no legitimate email goes there) will give you similar intelligence, tho, it's not quite as definitive as a CBL listing. Most reliable if you exclude legitimate customer mail servers (bounced forged spam and virii) or correlate to the CBL. Couple either or both with an autodisconnect script like what Suresh suggested.
participants (6)
-
Adam Debus
-
Brian Bruns
-
Chris Lewis
-
Michel Renfer
-
Richard Welty
-
Suresh Ramasubramanian