[prev in list] [next in list] [prev in thread] [next in thread] 

List:       exim-users
Subject:    Re: [exim] Regarding spaming from the server
From:       Lena () lena ! kiev ! ua
Date:       2013-06-30 22:49:01
Message-ID: 20130630224901.GB793 () lena ! kiev
[Download RAW message or body]

P.S.

> From: Todd Lyons

> > How to block stolen passwords automatically:
> > https://github.com/Exim/exim/wiki/BlockCracking
> 
> Lena, one corner case of this is when a legitimate user has one device
> with the wrong password.  Picture a typical small office where two or
> three people using a small NAT router to connect to their business
> class DSL.  One person changes their password and they fix it on their
> iphone because they have to leave to go do something.  They leave.
> Their outlook is still open on their computer and someone comes by to
> check something in the email.  Outlook doesn't seem to be working
> right so they hit the Send/Receive button multiple times.  On the exim
> server, the limit for bad user/pass combination gets hit and the ip
> gets added to the blacklist.  Now the whole office is blocked from
> sending email.
> 
> I'd like to ponder if there is a way to detect that the same incorrect
> password is being sent over and over (indicating a misconfigured
> device) as opposed to random passwords (indicating brute forcing).  To
> my knowledge the actual password nor a hash of it is not made
> available anywhere except to the authenticator section. Can you dream
> up any sequence that could be used to capture a hash of that password,
> store it, and then use it to compare subsequent attempts?

OK, untested changes for my code
https://github.com/Exim/exim/wiki/BlockCracking :

1. Replacement for "accept" at the end of acl_check_auth:

  accept set acl_c_authhash = ${if match{$smtp_command_argument}\
          {\N(?i)^(?:plain|login) (.+)$\N}{${nhash_1000:$1}}}

2. Replacement for entire acl_check_quit:

  warn  condition = ${if def:authentication_failed}
        condition = $authentication_failed
        condition = ${if def:acl_c_authhash}
        ratelimit = 7 / 5m / strict / $sender_host_address-$acl_c_authhash

  warn  condition = ${if def:authentication_failed}
        condition = $authentication_failed
        condition = ${if def:acl_c_authhash}
        set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}}

  warn  condition = ${if def:authentication_failed}
        condition = $authentication_failed
        logwrite = :reject: quit after authentication failed: \
                            ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
        ratelimit = 7 / 5m / strict / per_conn
        condition = ${if or{\
                            {!def:acl_c_authhash}\
                            {<{$acl_c_hashrate}{2}}\
                           }}
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N echo Subject: $sender_host_address blocked; echo; echo \
           for bruteforce auth cracking attempt.; \
           \N}\N | EXIMBINARY WARNTO"}}

> From: Cyborg

> That will block most customers, who try to send valid newsletters :)
> 10% or more of the address database of those newslettersenders is
> invalid and old addresses.

Do those customers/senders ignore bounces?

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[prev in list] [next in list] [prev in thread] [next in thread]