postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: OT: Re: anvil stats/restictions based on SASL use

OT: Re: anvil stats/restictions based on SASL username?

From: Tomoyuki Murakami <tomoyuki_at_nospam>
Date: Wed Oct 27 2010 - 01:32:28 GMT
To: postfix-users@postfix.org

> Cassidy Larson:
>> We had an incident today where we had a user with a compromised
>> machine. Their email/pass made it back to some botnet which proceeded
>> to SASL auth to our mail servers and send numerous spam messages from
>> many different hosts. The spamming hosts didnt trigger our
>> smtpd_client_recipient_rate_limit setting, because of the many
>> different hosts (all with the same SASL user authenticated) that they
>> used.

I'm little bit amazing to hear about the real-existing AUTHing bot.
I think we must prepare for SPAM originating bots, but relayed
through legitimate (compared to direct from bot PCs ) MTAs.

> Maybe a good idea. This would hook into the AUTH command and after
> successful AUTH, do an anvil query for the sasl_username value.
>
> It's not a lot of code, but I don't have a lot of time, either.
>

We will have time to clean-up bots ;-p

-- Tomo.