[nSLUG] Spammers run with compromised accounts

D G Teed donald.teed at gmail.com
Fri Mar 1 10:08:00 AST 2013


Thought I'd share something about a spamming method I saw this week
which has never appeared here before.

We run a secure SMTP for roaming users (requires authentication).

Based on previous issues with compromised accounts, we have some Postfix
limits and firewall rules to keep the spam run less productive.

This week, the spammers found a way around this.  They phished or key-logged
credentials for a few accounts.  They waited until the evening hours when
IT staff are not on hand.  For the spam attack, they connected
with almost 400 remote IP clients, sending email at a trickle rate to avoid
the cut off triggers.  At the spammers chosen rate of 1 email with 1
recipient per
2 minutes for each IP client, the high number of clients multiples to
over 20,000 emails in a two hour period.

I'm looking at solutions from postfwd or similar, but in the meantime,
I have made a script to count sasl logins from the outside and
automatically block the user, with use of pam_listfile.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20130301/b6e94b02/attachment.html>


More information about the nSLUG mailing list