[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Mail Submission Protocol
- Subject: Mail Submission Protocol
- From: franck at genius.com (Franck Martin)
- Date: Thu, 22 Apr 2010 14:54:37 +1200 (MAGST)
- In-reply-to: <[email protected]>
If you have left port 25 open, this is a good place to start.
http://www.uceprotect.net/en/rblcheck.php
I suspect any decent IDS will tell you which machine has weird traffic. I suppose you can put rules based on the IDS result to redirect them to a special web page to tell them, they have to do something.
The main issue, it not to know which machines are hijacked, but to support these machines.
----- Original Message -----
From: "Suresh Ramasubramanian" <ops.lists at gmail.com>
To: "Alex Kamiru" <nderitualex at gmail.com>
Cc: nanog at nanog.org
Sent: Thursday, 22 April, 2010 1:35:56 PM
Subject: Re: Mail Submission Protocol
Log and monitor all that you can. And watch for a large number of IPs
logging into an account over a day (over a set limit - even across
country - that takes into account "home - blackberry - airport lounge
- airport lounge in another country - hotel - RIPE meeting venue"
type scenarios).
And especially watch for and/or firewall off logins from areas from
where you see particularly high levels of smtp auth abuse / logins to
compromised accounts
--srs
2010/4/21 Alex Kamiru <nderitualex at gmail.com>:
>>>Inside customers, we have not changed to force port 587 and
>>>authentication for email clients, but the topic has come up in
>>>discussions. This won't of course, stop spammers if they are
>>>hijacking the users local email client settings.
>
> How best would you stop spammers hijacking local users email clients
>
> -Mike