[BlueOnyx:01718] Re: Sendmail attack, again (ideas for a more permanent solution)

Wed Jul 15 17:51:35 -05 2009

Hi Gerald and Paul,

Gerald wrote:
> > I suggest not having a user info, maybe OK as an alias.
> > Else give user info a strong password

Paul wrote:
> This was EXACTLY the same problem as i has a week or so ago - and it was
> indeed the user "info". Removed the user, and problem gone (blocked the
> spammer's ip for good measure)!!

I'm currently re-thinking certain security aspects of BlueOnyx while I'm 
working on an improved (commercial) firewall package for BlueOnyx.

As is the add-ons (free or paid) that are around to counter these problems all 
have their shortcommings.

They may be able to cope with some brute force or dictionary attacks, but 
there is always the odd one that slips through and hits you squarely over the 
head. 

Even then there is more that can be done - like monitoring logging behaviour 
and typical usage which usually is not done by anything.

For example: You have that user "info". He's been on the server for several 
months. During that time he logged in by POP3 from dynamic IP addresses in the 
UK like three times a week and sends maybe 20 emails on the average per week. 
Sometime in February he logged in from a dynamic IP in the US and over the 
easter weekend from somewhere in France.

Now all of the sudden he logs in to SMTP-Auth from Romania, the Ukraine or 
China every minute and sends like 2000 emails per hour.

That doesn't really fit the typical behaviour of that user and should be a 
dead give away that there is something wrong. With some creative logfile 
parsing and Perl scripting it's fairly easy to catch, too.

It could even be possible to set site or user specific limits through the 
BlueOnyx GUI. Like: User can only use network services (SMTP-Auth, POP3, IMAP, 
FTP) if the connections come from certain countries, a certain continent or 
region. Or one could set limits for sites and users about how many emails they 
are allowed to send in a given time period. Either one of those should be able 
to catch these kind of abuse and either stop it early, or notify you that 
something out of the ordinary is going on that may require your attention. 
Without causing undue troubles for the average users - with the exception of 
restricting allowed traffic to certain countries - of course. Even then you 
could throw in something like this:

If he connects from a country in the "non-suspicious" list, he can send 500 
emails a day, but if he connects from one in the "suspicious list", he can 
only send 50 a day, plus an alarm is raised anyway.

Reactions to suspicious login activity or suspicious usage activity 
(especially related to sending emails!) could also be defined on a per site or 
per user basis. 

Like: 

- Ignore and do nothing
- Log and report only
- Log, report and impose stricter limits on allowed activity
- Suspend the account temporarily (by locking it)
- Block the offending IP with a firewall rule and lock the account

I got a very rough draft of that code in the cooker at the moment, but it's 
still a few weeks away from being ready.

Certain features of the new firewall package will probably be included for 
free in BlueOnyx, like the ability to monitor accounts for unusual login 
activity and usage behaviours, but the rest will be a paid add-on. That also 
makes sure that there won't be problems with other third party security tools 
like Dfix, APF, BFD or whatever else may already be present.

-- 
With best regards

Michael Stauber