On Sun, Nov 03, 2013 at 02:12:08PM +0100, Gilles Chehade wrote:
> On Sat, Nov 02, 2013 at 08:26:35PM -0400, Eric Radman wrote:
> > On October 18 one of my user's computers was compromised (Windows XP),
> > and a spammer started using SMTPS auth to relay mail through my server.
> > I corrected the situation by changing the account password, but since
> > this time Gmail has been rejecting e-mail from my server. It doesn't
> > appear that Google has an appeal process nor will they provide a reason
> > for continuing to rejecting mail.
> >
>
> ouch
Yep, and it appears they can hold a grudge for a long period of time.
Compare that with Hessler's bgp-spamd blacklist policy:
"Blacklist entries are IP addresses that have sent an email to a
SPAMTRAP email address within the last 24 hours."
Never again. Here are the pf rules I've instituted to prevent this from
ever happening:
# prevent an authenticated user from abusing mail relay
# no more than 2 connections per host
# no more than 8 connections over 30 seconds
table <attacker> persist
block quick from <attacker>
pass inet proto tcp to egress:network port smtps keep state \
(max-src-conn 2, max-src-conn-rate 8/30, overload <attacker>)
Then install a nightly report on who's been clobbered:
00 1 * * * /sbin/pfctl -t attacker -T show
--
Eric Radman | http://eradman.com
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
