SMTP auth attacks

[rd at rd1.net (Ralph Durkee)]

Ouch!  Sounds like a good challenge.  My first though is to make the
problem a bit easier is to go back to the IP Restrictions and find a
different solution for the traveling customers.  So that the at home users
use are authenticated by IP + password, and the travelers are
authenticated by password + something.   Lots of options for the
+something of course, installing certificates and using an web based email
or ssl vpn.

--Ralph


> Hey everyone,
>
> I work at an ISP and we constantly have issues with SMTP Auth attacks
> where
> spammer's use correct customer credentials to use our mail servers as
> relay
> (closed relay? is there such a thing?). So far we have tried the
> following:
>
> * User education (insert delirious laughter) - seriously, this seems to
> never work.
> * Force strong passwords - this doesn't work for customers answering
> phishing emails for their username/password
> * IP restrictions - this causes lots of complaints as customers travel and
> want to still use SMTP
> * Outgoing message limits on authenticated user - it only seems to takes a
> handful of annoyed users to be blocked from places like Hotmail/Yahoo so
> this doesn't work.
>
> There are no brute force attempts on our servers as the attackers have
> figured out that our customer base is to put it lightly, non-techies who
> reply to any email that asks for their password. Also should mention we
> are
> using Debian servers with Postfix for SMTP.
>
> The problem basically is that by the time our mailq alarms
>
> Does anyone have any ideas or wants to mention something that I've missed?
> Google-fu pretty much tells me to turn SMTP Auth off but unfortunately
> this
> isn't an option.
>
> Cheers,
> Ali
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com