Yahoo Groups archive
Thread
2016-09-08 by maren.zubizarreta@...
Hello:
We want to implement an ACL with a ratelimit per authenticated user, this is to prevent SPAMMing when one of our user's credentials are stolen, and a SPAMMER using different IPs and the same user credentials tries to send SPAm throuh our system.
Is it possible to do it using milter-greylist? I haven't found how.
Thanks a lot
Maren
2016-09-08 by Marcus Schopen
Hi Maren, On 2016-09-08 09:12, maren.zubizarreta@... [milter-greylist] wrote: > Hello: > > We want to implement an ACL with a ratelimit per authenticated user, > this is to prevent SPAMMing when one of our user's credentials are > stolen, and a SPAMMER using different IPs and the same user > credentials tries to send SPAm throuh our system. > > Is it possible to do it using milter-greylist? I haven't found how. Would interest me too, good idea! Do you think changing IPs on a smtp-auth account is a good hint of abuse? What if all spam is sent from one IP, e.g. if a users notebook is infected by a virus and uses your smtp relay to send spam. May be a hard limit number for a user account combined with changing IPs and/or geoip. Ciao Marcus
2016-09-08 by Marcus Schopen
On 2016-09-08 09:39, Marcus Schopen lists-yahoogroups@... [milter-greylist] wrote: > Hi Maren, > > On 2016-09-08 09:12, maren.zubizarreta@... [milter-greylist] wrote: >> Hello: >> >> We want to implement an ACL with a ratelimit per authenticated user, >> this is to prevent SPAMMing when one of our user's credentials are >> stolen, and a SPAMMER using different IPs and the same user >> credentials tries to send SPAm throuh our system. >> >> Is it possible to do it using milter-greylist? I haven't found how. > > Would interest me too, good idea! Do you think changing IPs on a > smtp-auth account is a good hint of abuse? What if all spam is sent > from > one IP, e.g. if a users notebook is infected by a virus and uses your > smtp relay to send spam. May be a hard limit number for a user account > > combined with changing IPs and/or geoip. Some examples/ideas: http://myspew.com/software/how-to-rate-limit-smtp-with-milter-greylist and see for "Rate Limit" in greylist.conf. Not exact your case, but some ideas. Ciao!
2016-09-08 by maren.zubizarreta@...
2016-09-08 by maren.zubizarreta@...
2016-09-08 by Serge Stepanov
Reply via web post • Reply to sender • Reply to group • Start a New Topic • Messages in this topic (5)Have you tried the highest rated email app?With 4.5 stars in iTunes, the Yahoo Mail app is the highest rated email app on the market. What are you waiting for? Now you can access all your inboxes (Gmail, Outlook, AOL and more) in one place. Never delete an email again with 1000GB of free cloud storage.
.
2016-09-08 by Can Şirin
Serge is right. We are using ratelimiting per authenticated user with this way. Here is the rule that you can use: ratelimit standart_limit rcpt 2 / 1h key
2016-09-08 by maren.zubizarreta@...
2016-09-08 by Emmanuel Dreyfus
On Thu, Sep 08, 2016 at 12:12:38AM -0700, maren.zubizarreta@... [milter-greylist] wrote:
> We want to implement an ACL with a ratelimit per authenticated user, this is to prevent SPAMMing when one of our user's credentials are stolen, and a SPAMMER using different IPs and the same user credentials tries to send SPAm throuh our system.
> Is it possible to do it using milter-greylist? I haven't found how.
I use that, assuming users post from 192.0.2.0/24
ratelimit "users" rcpt 100 / 10m key "%M{auth_authen}"
racl blacklist addr 192.0.2.0/24 ratelimit "users" \
msg "Too many recipients (%M{auth_authen}), please retry later"
In sendmail.cf, you need O Milter.macros.envfrom to contain {auth_authen}
--
Emmanuel Dreyfus
manu@...2016-09-08 by maren.zubizarreta@...
2016-09-08 by maren.zubizarreta@...
2016-09-08 by Serge Stepanov
On Thu, Sep 08, 2016 at 12:12:38AM -0700, maren.zubizarreta@... [milter-greylist] wrote:
> We want to implement an ACL with a ratelimit per authenticated user, this is to prevent SPAMMing when one of our user's credentials are stolen, and a SPAMMER using different IPs and the same user credentials tries to send SPAm throuh our system.
> Is it possible to do it using milter-greylist? I haven't found how.
I use that, assuming users post from 192.0.2.0/24
ratelimit "users" rcpt 100 / 10m key "%M{auth_authen}"
racl blacklist addr 192.0.2.0/24 ratelimit "users" \
msg "Too many recipients (%M{auth_authen}), please retry later"
In sendmail.cf, you need O Milter.macros.envfrom to contain {auth_authen}
--
Emmanuel Dreyfus
manu@...
2016-09-08 by Emmanuel Dreyfus
On Thu, Sep 08, 2016 at 03:18:59AM -0700, maren.zubizarreta@... [milter-greylist] wrote:
> I think I have it, my only doubt is how would you set exception's as these proposed by Can, for unauthenticated user, or for a specific user, would you still use sm_macro?
{auth_authen} contains the authenticated userid. You can make specific rules for specific values if you want.
--
Emmanuel Dreyfus
manu@...2016-09-08 by maren.zubizarreta@...
2016-09-08 by maren.zubizarreta@...
2016-09-08 by maren.zubizarreta@...
2016-09-08 by Marcus Schopen
Hi,
On 2016-09-08 14:18, maren.zubizarreta@... [milter-greylist] wrote:
> Hello again:
>
> I already tested the regular expression:
> sm_macro "users_macro" "{auth_authen}" /user1|user2/
> and it seems to work well, so now my definitive config will be:
>
> list "MY_NETWORKS" addr { 158.227.4.0/24}
> ratelimit "limite_1H" rcpt 200 / 1h key "%M{auth_authen}"
> sm_macro "null" "{auth_authen}" unset
> sm_macro "users_macro" "{auth_authen}" /user1|user2/
>
> racl blacklist not sm_macro "null" not sm_macro"users_macro" not list
> "MY_NETWORKS" ratelimit "limite_1H" msg "Quota exceeded"
Thanks for your example. I tried your rule set, which is placed before
"racl greylist list "grey users" ..." in the config, but it's not
working here:
-------
# Limit Test
list "MY_NETWORKS" addr { 192.168.100.0/24}
ratelimit "limite_1H" rcpt 2 / 1h key "%M{auth_authen}"
sm_macro "null" "{auth_authen}" unset
sm_macro "users_macro" "{auth_authen}" /user1|user2/
racl blacklist not sm_macro "null" not sm_macro "users_macro" not list
"MY_NETWORKS" ratelimit "limite_1H" msg "Quota exceeded"
-------
grep auth_authen sendmail.cf:
O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf},
{auth_author}, {mail_mailer}, {mail_host}, {mail_addr}
...
sendmail.mc:
INPUT_MAIL_FILTER(`greylist',`S=inet:12345@internalscanhost, F=,
T=S:1m;R:1m')dnl
mail.log says:
Sep 8 19:10:50 internalscanhost milter-greylist: User testuser1
authenticated, bypassing greylisting
Andy ideas?
Ciao
Marcus2016-09-09 by maren.zubizarreta@...
2016-09-14 by manu@...
maren.zubizarreta@... [milter-greylist] <milter-greylist@yahoogroups.com> wrote: > I mean, enabling the noauth at the end of my previous file, and adding at > the end the new rules for authenticated users, would do the job? I understand it would. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@...
2016-09-14 by manu@...
maren.zubizarreta@... [milter-greylist] <milter-greylist@yahoogroups.com> wrote: > Even so, yesterday I sent a question, as I'm not sure if it's possible to > avoid greylisting for authenticated users, once noauth is enabled. > Anybody knows?: Default behavior is there for backward compatibility. It whitelists authenticated users. If you use noauth, authenticated users go through the ACL as others do. Then you can have specific ACL for authenticated users. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@...
2016-09-14 by Marcus Schopen
Hi Maren, On 2016-09-08 09:12, maren.zubizarreta@... [milter-greylist] wrote: > Hello: > > We want to implement an ACL with a ratelimit per authenticated user, > this is to prevent SPAMMing when one of our user's credentials are > stolen, and a SPAMMER using different IPs and the same user > credentials tries to send SPAm throuh our system. > > Is it possible to do it using milter-greylist? I haven't found how. Have you thought about fail2ban, not just classic firewall rules, but closing smtp accounts if successful smtp logins come from different IPs in a very short time period, possibly combining with geoip? Beside ratelimits this might be a way to block abusing accounts. I posted that question on fail2ban list today. Ciao! Marcus
2016-09-15 by Frank Doepper
Am 14.09.16 um 15:36 schrieb Marcus Schopen lists-yahoogroups@......: > Have you thought about fail2ban, not just classic firewall rules, but > closing smtp accounts if successful smtp logins come from different IPs > in a very short time period, possibly combining with geoip? Beside > ratelimits this might be a way to block abusing accounts. I posted that > question on fail2ban list today. I have built this with mimedefang and a SQLite-DB. I have running both mimedefang and milter-greylist on the server. And fail2ban (for unsuccessful logins), too. Hard times. Frank. -- xmpp:fd@... pgp:0x6C6804CD