|Main Archive Page > Month Archives > postfix-users archives|
> Cassidy Larson:
>> We had an incident today where we had a user with a compromised
>> machine. Their email/pass made it back to some botnet which proceeded
>> to SASL auth to our mail servers and send numerous spam messages from
>> many different hosts. The spamming hosts didnt trigger our
>> smtpd_client_recipient_rate_limit setting, because of the many
>> different hosts (all with the same SASL user authenticated) that they
I'm little bit amazing to hear about the real-existing AUTHing bot.
I think we must prepare for SPAM originating bots, but relayed
through legitimate (compared to direct from bot PCs ) MTAs.
> Maybe a good idea. This would hook into the AUTH command and after
> successful AUTH, do an anvil query for the sasl_username value.
> It's not a lot of code, but I don't have a lot of time, either.
We will have time to clean-up bots ;-p