Lena at lena.kiev.ua
Lena at lena.kiev.ua
Sun Mar 24 13:30:19 UTC 2013
Doug Hardie wrote:
> my outgoing mail server is being systematically attacked to try
> passwords looking for one that works. When they do find one,
> we get inundated by spam sent through that account throughout the world.
How such spam is injected into your mail relay - via SMTP?
> most of our users are older and their computer is a hand-me-down
> so they can talk to their grandchildren.
> our users tend to travel a lot and need to be able to access mail
> from anywhere.
I bet that most of your users use Windows, many are clueless. So,
many will click a link in a letter from a known sender if the letter
contains nothing more than a link and the sender's correct signature,
possibly with a correct sender name or a few very generic words
added in Subject or body. Links in such spam lead to
drive-by exploit kits such as Blackhole which silently
(without user consent) install password-stealing trojans
such as ZeuS or SpyEye in user's Windows. These trojans also are
stealing FTP passwords (many webmasters use Windows too),
it's how the felons make pages they link to (on legitimate websites),
so content-filtering of such spam fails.
Stolen yahoo, AOL, MSN webmail passwords are used for sending such spam
via the webmail interface (with correct hostname, SPF, DKIM)
to addresses harvested from the user's webmail interface's address book
and Sent and Inbox folders.
Also, some of your users will yield to phishing.
Strong (long, complicate, unique) passwords are stolen with
Windows trojans and phishing as easily as weak ones.
You can block brute-force password guessing, but you cannot prevent
password stealing by Windows trojans and phishing.
Unfortunately, you cannot force your users to use FreeBSD or
some other free operating system instead of Windows.
But travelling users do need to send mail via SMTP.
Passwords are stolen along with username, relay hostname and port.
Second factor authentication for SMTP is more difficult
in practice than for HTTP.
So, you need to block _using_ stolen passwords by spammers.
My implementation is for Exim (instead of Postfix or sendmail):
It also blocks brute-force password guessing via SMTP, but
that's a side benefit.
More information about the freebsd-questions