SurgeMail Archive: Re: [SurgeMail List] preventing spammers from using a password-cracked accoun

Subject:	Re: [SurgeMail List] preventing spammers from using a password-cracked accoun
From:	Ed
Date:	20-Sep-2013
Yes there's a setting : g_from_exact - Check from matches authenticated user Check from matches authenticated user. If user is not authenticated the setting is skipped. Should be used with g_from_bounce "true" which basically forces them to authenticate and then makes this setting work properly. Syntax: g_from_exact bool --Ed On 09/20/2013 05:46 PM, David Camm wrote: > been a fun few days :-( > > the reason i sent my previous post about being blocked by sorbs was that > a customer had two workstations compromised with a trojan which > succeeded in giving the hackers the passwords to their email accounts. > > using this information, they were able to authenticate and send large > quantities of spam. tracing a bunch of the originating ip addresses, the > majority of the connections came from ukraine or the russian federation > (why am i not surprised???) > > of course, cleaning the infected systems and changing the account > passwords stopped this. > > the spammers used a different from address for each email instance. they > would useHIDDEN@main.com, bcd@domain.com, goofy@domain.com, etc. > > HOWEVER, looking at the emails before i deleted them from the queue, > there was an x-authenticated-user header, which contained the address of > the hacked account (say,HIDDEN@domain.com). > > clearly the from address and the authenticated user address were different. > > it seems to me that there are no 'legal' instances where these two > addresses would be different. > > while more and more customers are using imap on their mobile devices, > these devices still send using smtp (i believe). therefore using > settings which restrict smtp_auth to a given ip set couldn't work. > > we universally require smtp authorization. > > if there's a config setting which says: "on send, if envelope from is > NOT authenticated user address, drop the send then disconnect" i'd > appreciate knowing what it is. > > if no such setting exists. does it make sense to implement it? > > david camm > advanced web systems > keller, tx > > > > > > > > -- ----------------------------------------------------------- EAS Enterprises LLC World Class Web and Email Hosting Solutions IPv6 ready today for your needs of tomorrow! Ask us about dual-stacking your site www.easent.net

Last Message | Next Message


Search website: