Kill off one user's active sessions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Kill off one user's active sessions

Vegard Svanberg
Hi,

We have a few scripts in place to handle (outgoing) spam outbreaks.

This works well, but we struggle a bit with one scenario where the
username and password are in the wild, and the spammer connects to the
email server and sends multiple emails through the same connection.

Because even if we lock the account, the session is still active so they
can spam until the connection is terminated.

The same scenario occurs if a botnet has set up multiple connections,
but the server is laggy or whatever so they've authenticated, but
haven't gotten to the "DATA" part of the SMTP dialogue yet (BTW: some
spambots appear to exhibit speculative behaviour here - as if they do
this on purpose).

So... what's the recommended approach here?

Is there an easy way to tear down specific (by a particular user)
connections?

Thanks in advance.

--
Vegard Svanberg <[hidden email]> [*Takapa@IRC (EFnet)]

Reply | Threaded
Open this post in threaded view
|

Re: Kill off one user's active sessions

Dominic Raferd
On 22 November 2017 at 14:31, Vegard Svanberg <[hidden email]> wrote:

> We have a few scripts in place to handle (outgoing) spam outbreaks.
>
> This works well, but we struggle a bit with one scenario where the
> username and password are in the wild, and the spammer connects to the
> email server and sends multiple emails through the same connection.
>
> Because even if we lock the account, the session is still active so they
> can spam until the connection is terminated.
>
> The same scenario occurs if a botnet has set up multiple connections,
> but the server is laggy or whatever so they've authenticated, but
> haven't gotten to the "DATA" part of the SMTP dialogue yet (BTW: some
> spambots appear to exhibit speculative behaviour here - as if they do
> this on purpose).
>
> So... what's the recommended approach here?
>
> Is there an easy way to tear down specific (by a particular user)
> connections?

Maybe you could create a fail2ban jail based on frequency of
repetition of log entries of the multiple outgoing emails? Obviously
you would have to find some reliable way to distinguish between the
log entries generated by a spammer's mails and a genuine user's (which
might be tricky if your genuine users might also send a lot of emails
in a short space of time). Normally fail2ban is used for temporary IP
blocking via iptables (but other actions are possible).

Someone had a similar problem here:
https://www.howtoforge.com/community/threads/postfix-dos-spam-attack.61196/
Reply | Threaded
Open this post in threaded view
|

Re: Kill off one user's active sessions

Viktor Dukhovni
In reply to this post by Vegard Svanberg


> On Nov 22, 2017, at 9:31 AM, Vegard Svanberg <[hidden email]> wrote:
>
> The same scenario occurs if a botnet has set up multiple connections,
> but the server is laggy or whatever so they've authenticated, but
> haven't gotten to the "DATA" part of the SMTP dialogue yet (BTW: some
> spambots appear to exhibit speculative behaviour here - as if they do
> this on purpose).
>
> So... what's the recommended approach here?
>
> Is there an easy way to tear down specific (by a particular user)
> connections?

In front of permit_sasl_authenticated, use:

   http://www.postfix.org/postconf.5.html#check_sasl_access

main.cf:
   # Default, just don't set it to "no"
   # smtpd_delay_reject = yes

   sqlorldap = ...:${config_directory}/

   # Postfix 2.10 or later
   smtpd_relay_restrictions =
        check_sasl_access ${sqlorldap}compromised.cf,
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination

compromised.cf:
    # Define a table that returns "REJECT 5.7.1 Compromised login account"
    # when the lookup key matches a compromise SASL login name.
    ...

The table needs to be SQL or LDAP as indexed file tables are only
reloaded between connections, not in the middle of a connection.

The most lightweight table for this is perhaps sqlite, it should
support concurrent reads by Postfix across writes by some management
tool, but I've not tried this.  You're probably better off with
Postgres, MySQL or LDAP.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Kill off one user's active sessions

Wietse Venema
In reply to this post by Vegard Svanberg
Vegard Svanberg:
[ Charset ISO-8859-1 converted... ]

> Hi,
>
> We have a few scripts in place to handle (outgoing) spam outbreaks.
>
> This works well, but we struggle a bit with one scenario where the
> username and password are in the wild, and the spammer connects to the
> email server and sends multiple emails through the same connection.
>
> Because even if we lock the account, the session is still active so they
> can spam until the connection is terminated.
>
> The same scenario occurs if a botnet has set up multiple connections,
> but the server is laggy or whatever so they've authenticated, but
> haven't gotten to the "DATA" part of the SMTP dialogue yet (BTW: some
> spambots appear to exhibit speculative behaviour here - as if they do
> this on purpose).
>
> So... what's the recommended approach here?

Use POSTFWD to enforce mail sending quotas.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Kill off one user's active sessions

Vegard Svanberg
In reply to this post by Viktor Dukhovni
* Viktor Dukhovni <[hidden email]> [2017-11-22 21:20]:

> > Is there an easy way to tear down specific (by a particular user)
> > connections?
>
> In front of permit_sasl_authenticated, use:
[snip]

Clever. Will give this a go.

Thanks, all.

--
Vegard Svanberg <[hidden email]> [*Takapa@IRC (EFnet)]