Mailing List Archive

On 15/09/23 17:01, Marc wrote:

> Anyone have any experience with a dns blacklist specific to known smtp auth abuse?
Yes, at previous $dayjob. Applied on the submission MSA, it proved to be
useful in mitigating the fallout when users got their credentials
compromised.

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaus.com/

>On 15/09/23 17:01, Marc wrote:
>>Anyone have any experience with a dns blacklist specific to known smtp auth abuse?

On 15.09.23 15:31, Riccardo Alfieri wrote:
>Yes, at previous $dayjob. Applied on the submission MSA, it proved to
>be useful in mitigating the fallout when users got their credentials
>compromised.

can you describe it more?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901

On 15/09/23 17:35, Matus UHLAR - fantomas wrote:

>
> On 15.09.23 15:31, Riccardo Alfieri wrote:
>> Yes, at previous $dayjob. Applied on the submission MSA, it proved to
>> be useful in mitigating the fallout when users got their credentials
>> compromised.
>
> can you describe it more?
>
Well, I checked the connecting IP of a client againts AuthBL *before*
"permit_sasl_authenticated" (IIRC) in postifx and when users got their
credential compromised (that  happened more times than I would have
liked) I'd say more than 95% of connections from auth abusing botnet
were denied. This mitigated a lot the spam exiting from our outbounds
and helped us not ending up being listed in the more "trigger happy"
dnsbls around :)

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaus.com/

>
> >
> > On 15.09.23 15:31, Riccardo Alfieri wrote:
> >> Yes, at previous $dayjob. Applied on the submission MSA, it proved to
> >> be useful in mitigating the fallout when users got their credentials
> >> compromised.
> >
> > can you describe it more?
> >
> Well, I checked the connecting IP of a client againts AuthBL *before*
> "permit_sasl_authenticated" (IIRC) in postifx and when users got their
> credential compromised (that  happened more times than I would have
> liked) I'd say more than 95% of connections from auth abusing botnet
> were denied. This mitigated a lot the spam exiting from our outbounds
> and helped us not ending up being listed in the more "trigger happy"
> dnsbls around :)
>

Is this a freely available list?

Marc skrev den 2023-09-15 17:01:
> Anyone have any experience with a dns blacklist specific to known smtp
> auth abuse?

spamrats ?

https://www.spamrats.com/

On 15/09/23 17:49, Marc wrote:

> Is this a freely available list?
It's included in all DQS accounts, free ones too

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaus.com/

On 15/09/23 17:51, Reindl Harald (privat) wrote:

> limit the connections per hour on smtp-ports with iptables xt_recent
> and configure postfix properly
>
> anvil_rate_time_unit               = 1800s
> smtpd_client_connection_rate_limit = 100
> smtpd_client_recipient_rate_limit  = 400
> smtpd_client_message_rate_limit    = 400
> smtpd_recipient_limit              = 100
Wont help much if you have 100k different IPs connecting, and you also
have high volume legit customers

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaus.com/

Riccardo Alfieri skrev den 2023-09-15 18:23:
> On 15/09/23 17:51, Reindl Harald (privat) wrote:
>
>> limit the connections per hour on smtp-ports with iptables xt_recent
>> and configure postfix properly
>>
>> anvil_rate_time_unit               = 1800s
>> smtpd_client_connection_rate_limit = 100
>> smtpd_client_recipient_rate_limit  = 400
>> smtpd_client_message_rate_limit    = 400
>> smtpd_recipient_limit              = 100
> Wont help much if you have 100k different IPs connecting, and you also
> have high volume legit customers

i use weakforced for dovecot, and i know my custommers asn's

intresting parts for me is spamrats, see more rats inside of my
custommers asn's

it will be endless fights :(

why did you reply to a blocked user here :(

> > Anyone have any experience with a dns blacklist specific to known smtp
> > auth abuse?
>
> spamrats ?
>
> https://www.spamrats.com/

yes thanks! this RATS-Auth maybe

>Marc skrev den 2023-09-15 17:01:
>>Anyone have any experience with a dns blacklist specific to known smtp
>>auth abuse?

On 15.09.23 17:51, Benny Pedersen wrote:
>spamrats ?
>
>https://www.spamrats.com/

I have bad experiente with spam rats and thus wouldn't recommend using them.
YMMV of course.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.

> >Marc skrev den 2023-09-15 17:01:
> >>Anyone have any experience with a dns blacklist specific to known smtp
> >>auth abuse?
>
> On 15.09.23 17:51, Benny Pedersen wrote:
> >spamrats ?
> >
> >https://www.spamrats.com/
>
> I have bad experiente with spam rats and thus wouldn't recommend using
> them.
> YMMV of course.
>

You could be right about this. When I compare the last 413 failed smtp auths, none are listed in auth.spamrats.com. While bl.spamcop.net lists 230 at 127.0.0.2, while zen.spamhaus.org gets 371 at 127.0.0.4/127.0.0.3/127.0.0.11. I just have to check which of them is not a list that lists any 'dynamic' ip by default.

Marc skrev den 2023-09-15 23:57:
>> >Marc skrev den 2023-09-15 17:01:
>> >>Anyone have any experience with a dns blacklist specific to known smtp
>> >>auth abuse?
>>
>> On 15.09.23 17:51, Benny Pedersen wrote:
>> >spamrats ?
>> >
>> >https://www.spamrats.com/
>>
>> I have bad experiente with spam rats and thus wouldn't recommend using
>> them.
>> YMMV of course.
>>
>
> You could be right about this. When I compare the last 413 failed smtp
> auths, none are listed in auth.spamrats.com. While bl.spamcop.net
> lists 230 at 127.0.0.2, while zen.spamhaus.org gets 371 at
> 127.0.0.4/127.0.0.3/127.0.0.11. I just have to check which of them is
> not a list that lists any 'dynamic' ip by default.

submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_delay_reject=no
-o { smtpd_client_restrictions = reject_rbl_client
auth.spamrats.com=127.0.0.43, permit }
-o { smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject }

i find dokumention good, dqs can be added here aswell, but i am unsure
if it will expose my dqs key, for me i dont like to use y (chroot), note
all details in this, just not auth.spamrats.com plus return code hardend

please be carefull, and ask

>> >Marc skrev den 2023-09-15 17:01:
>> >>Anyone have any experience with a dns blacklist specific to known smtp
>> >>auth abuse?

>> On 15.09.23 17:51, Benny Pedersen wrote:
>> >spamrats ?
>> >
>> >https://www.spamrats.com/

>> I have bad experiente with spam rats and thus wouldn't recommend using
>> them.
>> YMMV of course.

On 15.09.23 21:57, Marc wrote:
>You could be right about this. When I compare the last 413 failed smtp
> auths, none are listed in auth.spamrats.com. While bl.spamcop.net lists
> 230 at 127.0.0.2, while zen.spamhaus.org gets 371 at
> 127.0.0.4/127.0.0.3/127.0.0.11. I just have to check which of them is not
> a list that lists any 'dynamic' ip by default.

zen is not good idea for auth too. It's supposed to contain dynamic IPS
which aren't used for spaming.

authbl from spamhaus should do that.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watkins. -- Daffy Duck & Porky Pig

> >> >>Anyone have any experience with a dns blacklist specific to known smtp
> >> >>auth abuse?
>
> >> On 15.09.23 17:51, Benny Pedersen wrote:
> >> >spamrats ?
> >> >
> >> >https://www.spamrats.com/
>
> >> I have bad experiente with spam rats and thus wouldn't recommend using
> >> them.
> >> YMMV of course.
>
> On 15.09.23 21:57, Marc wrote:
> >You could be right about this. When I compare the last 413 failed smtp
> > auths, none are listed in auth.spamrats.com. While bl.spamcop.net lists
> > 230 at 127.0.0.2, while zen.spamhaus.org gets 371 at
> > 127.0.0.4/127.0.0.3/127.0.0.11. I just have to check which of them is
> not
> > a list that lists any 'dynamic' ip by default.
>
> zen is not good idea for auth too. It's supposed to contain dynamic IPS
> which aren't used for spaming.

I think this 127.0.0.11 is the dynamic ips

> authbl from spamhaus should do that.
>

any idea what this costs?