Koozali.org formerly Contribs.org

Ways to limit spam relayed using authenticated user accounts

We just got used to send a bunch of spams. There were ~6,0000 in the remote qmail queue when we discovered it and stopped it. The spammer dumped the spams in via sqpsmtpd using the user name / password of one of our users . Since we have remote users, we allow relaying for authenticated clients.

Obviously, we changed the user's password, but that doesn't fix it for next time. Besides using strong passwords that are *only* used for email accounts, what are some other things we can do to prevent this in the future? Here's a couple that I'm wondering about:

1. Throttle the number of messages a user can send over X amount of time.
2. Scan messages users are sending for spamming-looking content.

Are either of these easily achievable with SME? Are there other things we should be doing?

Offline janet

  • ****
  • 4,696
Re: Ways to limit spam relayed using authenticated user accounts
« Reply #1 on: July 25, 2013, 03:45:02 AM »
pizzaco

Quote
1. Throttle the number of messages a user can send over X amount of time.
2. Scan messages users are sending for spamming-looking content.
Are either of these easily achievable with SME? Are there other things we should be doing?

1) Not quite what you are asking for, but you can easily limit the number of concurrent messages being sent both local & remote using db settings. This applies to the whole server (all users) rather than a single user. Search forums on ConcurrencyLocal and ConcurrencyRemote
config setprop qmail ConcurrencyLocal 4
config setprop qmail ConcurrencyRemote 10
signal-event email-update

On a busy server sending thousands of messages you may not want to reduce these settings as mail flow will be slower.

Although not specifically needed as db commands exist, you can create custom templates in /etc/e-smith/templates-custom/var/qmail/control/concurrencyremote & so on
see the originals in
/etc/e-smith/templates/var/qmail/control/concurrencylocal
and
/etc/e-smith/templates/var/qmail/control/concurrencyremote

Maybe you could copy these to the /etc/e-smith/templates-user-custom tree to modify individual users


2) Probably with a bit of work making custom templates etc you could control scanning behaviour on a per user basis, but you would need to know what you are doing to achieve this, or get a developer to do the work if they felt your request was justifiable or you offered to fund the development work.

I recall when spam/virus scanning was brought in a few versions of sme ago, that it was also scanning outgoing messages & this was deemed not desirable, so was changed just to scan incoming. On that basis it could be re-enabled. My memory is a bit vague on this so I wait to be corrected.
I'm sure those here with a bit more specific knowledge could help, so I think this is possible to achieve.
 
I STRONGLY suggest you read all of the FAQ Email section, linked at top of forums.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Re: Ways to limit spam relayed using authenticated user accounts
« Reply #2 on: July 26, 2013, 12:21:12 AM »
Quote
...you can easily limit the number of concurrent messages...

If I did that on the remote queue, it would slow things down. It might not significant, though, because spams are usually very small and would go out pretty quickly.

I've looked around the intertubes for qpsmtpd plug-in to do rate-limiting / throttling by user based on # of messages sent. Haven't found anything. It seems like it would be a good defense against getting flooded by a spammer with a stolen account name and password. It would still let spam through, but I would rather send 500 spams instead of 10,000.

Offline janet

  • ****
  • 4,696
Re: Ways to limit spam relayed using authenticated user accounts
« Reply #3 on: July 26, 2013, 02:01:42 AM »
pizzaco

Quote
It would still let spam through, but I would rather send 500 spams instead of 10,000.

You overlook the obvious. Qmail still queues the messages anyway, & only establishes 40 concurrent remote connections by default on sme server, otherwise all your outgoing bandwidth would be hogged by qmail message connections.
Reducing this with the db command suggested would "allow 500 instead of 10,000" in a specified time period, thus allowing you more time to become aware of the issue & fix the problem, before your server gets a bad reputation & is listed on RBL's.
Try setting ConcurrencyRemote to 10 & gauge the effect. Users will probably not notice any difference, unless you are sending thousands of messages continuously every hour.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Re: Ways to limit spam relayed using authenticated user accounts
« Reply #4 on: July 26, 2013, 02:45:31 PM »
1) Not quite what you are asking for, but you can easily limit the number of concurrent messages being sent both local & remote using db settings. This applies to the whole server (all users) rather than a single user. Search forums on ConcurrencyLocal and ConcurrencyRemote
config setprop qmail ConcurrencyLocal 4
config setprop qmail ConcurrencyRemote 10
signal-event email-update

On a busy server sending thousands of messages you may not want to reduce these settings as mail flow will be slower.

That also won't help at all. That will only limit the rate at which messages leave the email queue. It doesn't limit the rate at which messages enter the queue, so doesn't stop a user from sending spam.

Quote
If I did that on the remote queue, it would slow things down.

It wouldn't necessarily. Reducing the number of concurrent outgoing messages doesn't necessarily affect the outbound message transfer rate. Increasing the number of concurrent message deliveries sometimes slows down total transfer (because of packet loss).

« Last Edit: July 26, 2013, 02:48:35 PM by CharlieBrady »

Offline holck

  • *
  • 273
Re: Ways to limit spam relayed using authenticated user accounts
« Reply #5 on: April 15, 2016, 09:08:39 PM »
I just experienced a similar problem: someone had guessed the password of a local user account, and this account was used to send 1000s of spam messages.

qpsmtpd received connections from lots of different IP-addresses, and happily accepted them all.

I understand, that one way to limit this kind of misuse is to reduce the ConcurrencyRemote setting. But I will suggest another solution:

In the style of fail2ban, we could make a script that monitors qpsmtpd's log files and looks for authenticated smtp sessions from many different IP addresses, but for the same user account, in a short time. And, if found, change the user's password.

We might also monitor qmail's log files and look for unusual high traffic from a single user account.

It should not be too hard to make a Perl-script for that, What do you think?

Jesper Holck

......

Offline brianr

  • *
  • 877
Re: Ways to limit spam relayed using authenticated user accounts
« Reply #6 on: April 15, 2016, 09:16:53 PM »
I think you should also make sure that all your users have "hard to guess" passwords!!

https://nakedsecurity.sophos.com/2010/02/03/choose-strong-password/
« Last Edit: April 15, 2016, 09:18:31 PM by brianr »
Brian j Read
(retired, but still looking after 5 SME installations)
.........

Re: Ways to limit spam relayed using authenticated user accounts
« Reply #7 on: April 15, 2016, 09:47:31 PM »
I understand, that one way to limit this kind of misuse is to reduce the ConcurrencyRemote setting.

As already noted above, that doesn't limit inbound connections, just outbound channels by which qmail sends messages out.