Mailing List CGatePro@mail.stalker.com Message #103079
From: Nicolas Hatier <nicolas.hatier@niversoft.com>
Subject: Re: solutions for preventing mail/smtp abuse on CGPro systems
Date: Mon, 05 Mar 2012 11:46:37 -0500
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Hi

One of the latest feature I implemented in our spam filter PolluStop is the ability to check outbound messages, assign them an internal spam score, and automatically block accounts when certain (configurable) triggers are reached, such as "over 20 messages with a score > 0.7 from that account in 30 minutes". With the possibility to count each recipient as a different message.

This could be helpful in this situation.

http://www.niversoft.com/pollustop

Regards
Nicolas Hatier

Nicolas Hatier, ing. <nicolas.hatier@niversoft.com>
Niversoft idées logicielles - http://www.niversoft.com


On 2012-03-05 10:48, Jeff Wark wrote:
This seems to be a pretty expensive task once you get into the thousands of accounts.  In a good week, you would be checking every account 7*(24*2) times and hopefully there would be nothing changed.

Now, if something could be set up to trigger a notification upon a change to an account, that would be pretty cool.  That could generate a lot of noise as well.

Also, I don't think that this method would work for us because the Webmail method has kind of fallen by the side.  SMTP Auth is where it is at for us.

On 3/5/2012 10:11 AM, Brian Gibson wrote:
We found that accounts that have been hacked have their "From:" address changed within Webmail (pretty much every time) so we wrote a Perl script that looks at everyone's "From:" address every 30 minutes and if someone's changes it sends us an email and we investigate. So far this simple approach has really helped us catch hacked accounts quickly. When we find a compromised account we quickly changed their password, rename their account (to kick the hacker off of their session) then inform the user of the issue and educate them not to hand out their password. We also take a look at the remote IP that connected to send the spam and if it is in another country I usually block it under "settings" -> "Network" -> "Blacklisted IPs" -> "Denied IP addresses".





++++++++++++++++++++++++++++
Brian Gibson
Systems Administrator
Wheaton College


On 3/5/2012 9:13 AM, Christoph Roethlisberger wrote:
We are looking for a solution/setting that prevents spam abuse via our CGPro plattform beside the whole relay restrictions.
As we only allow users to send emails via SMTP-Auth, we are quite safe in this regard, but unfortunately it's not enough.
Quite often we have cases were stolen or guessed password leading in more or less UBE mails sent via our systems. (on systems with thousends of accounts this is almost inevitable, imho)
And these compromised accounts are then often used from within a botnet, to send thousends of spam emails through our systems.

Unfortunately CGPro's only defense against that, is the "Outgoing Mail Limit"" the limits the number of emails per timeslot and account.
But "combined" with a reasonable setting of 50-100 recipients per email, this still allows massive abuse of the mailsystem, even with a very small number in the "Outgoing Mail Limit". (and  small numbers will penalize regular users a lot)

So, we search for a solution that can limit the:

- number or recipients (not emails!) per timeslot
- number of different IP addresses, authenticated with the same account per timeslot

As I see it, the first would be a relative easy task for CommunGate to implement, as the main logic behind that already exists for the "Outgoing Mail Limit" setting.
The second may be a bit harder, but still feels within doable range...


Or does anybody else have the same problems and already have a solution for that?

"External Filters" seem to be possible way and some sort of script of deamon that counts the messages and IP addresses...
Does anybody already use something like that and be able to share some information on how to do it?

thanks
Christoph Roethlisberger


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to <CGatePro-request@mail.stalker.com>

#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to <CGatePro-request@mail.stalker.com>

#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster