SPAM from own customers

Michel_Renfer · December 2, 2003, 5:50pm

Hi All

The topic "Spam sent over infected or malconfigured enduser pc's"
will become an big issue. We saw Virus' sending Spam directly from
the users pc, downloading the recipient list and the payload trough
HTTP from the web.

How will you deal with the problem, that one user can flood your
SMTP Server with tousends of emails within 10-20 minutes?

Opinions, Suggestions?

thanks,
michel

Suresh_Ramasubraman1 · December 2, 2003, 7:23pm

Michel Renfer writes on 12/2/2003 12:50 PM:

How will you deal with the problem, that one user can flood your
SMTP Server with tousends of emails within 10-20 minutes?

Virus filtering

Rate limit (+ script to auto terminate user) and smtp auth on outbounds

Separate inbound and outbound smtp relay. Don't let your inbound MX relay for your dialup pool (some trojans take the rDNS name / hostname of the infected box and do nslookup -q=mx domainname)

Ask AOL for an scomp@aol.net feed - a lot of these trojan spams seem to target AOL users.

etc

Brian_Bruns · December 2, 2003, 7:32pm

SMTP AUTH is becoming risky if its not carefully setup and monitored. I can
name one big time spammer who has warmed up to cracking weak passwords on
e-mail systems that do SMTP AUTH. Means you'd have to filter your outbound
mail servers port 25 from anyone not inside your network or a trusted
source.

Virus filtering is a must, but, alas, not all mail servers filter *outgoing*
mail. Most filter only incoming mail.

Adam_Tauvix_Debus · December 2, 2003, 7:43pm

Ask AOL for an scomp@aol.net feed - a lot of these trojan spams seem to
target AOL users.

Something to be aware of with the AOL scomp feed...any time one of your
users sends a message with no To address, and everyone in the BCC or CC
fields, it will generate a notification to the e-mail address you've
registered with them.

We have caught some spam originating from our network through the feed, but
for the most part it's mostly legitimate mail.

Thanks,

Adam Debus
Network Engineer, ReachONE Internet
adam@reachone.com

Richard_P_Welty · December 2, 2003, 7:53pm

not just weak passwords, but there are also obvious default, admin,
and guest accounts on some SMTP servers which are sitting there,
easily guessed, and they are indeed being taken advantage of.

richard

Chris_Lewis1 · December 2, 2003, 9:06pm

Michel Renfer wrote:

Hi All

The topic "Spam sent over infected or malconfigured enduser pc's"
will become an big issue. We saw Virus' sending Spam directly from
the users pc, downloading the recipient list and the payload trough
HTTP from the web.

How will you deal with the problem, that one user can flood your
SMTP Server with tousends of emails within 10-20 minutes?

In addition to the other suggestions, scanning the CBL (cbl.abuseat.org) for your own IPs is useful from an operational standpoint to find open proxies and trojans.

On a similar vein, detecting customer IPs trying to connect to 47.129.25.87 on port 25 (no legitimate email goes there) will give you similar intelligence, tho, it's not quite as definitive as a CBL listing. Most reliable if you exclude legitimate customer mail servers (bounced forged spam and virii) or correlate to the CBL.

Couple either or both with an autodisconnect script like what Suresh suggested.