Hello,
It is common when a computer is infected with virus, sent to "other computers" mail password you have set, then these computers are beginning to use the mailbox to send viruses or spam.
When this happens, they come in a short time many alerts like "AUTHRELAY, Remote IP - xxx.xxx.xxx.xxx", where each of these alerts the IP is different (the firewall is blocking each IP) but when the block occurs, each of these IP has already sent a lot of spam or viruses.
Would be good to lock in an automatic way a particular mailbox (changing the password) when the firewall detects many "AUTHRELAY" from different IP with a single mailbox involved.
(Sorry if my English is not very good, but my native language is Spanish)
Prevent bad use of an email account (virus)
Re: Prevent bad use of an email account (virus)
+1
Hello Shenzy,
I mean a scenario that the LFD could analyze the connections coming to that email account and with the aid of some algorithm start from the principle that accounts may have been used to send SPAM, am I right?
This sounds good. In my company I'm very careful to analyze the amount of daily AUTHRELAY notifications is made on the servers. Any suspicious activity I blocking IP access and I tell my customer to take preventive measures (change email password / cpanel password, etc.), install a good anti-virus software and prevent access email on suspect computers.
Hello Shenzy,
I mean a scenario that the LFD could analyze the connections coming to that email account and with the aid of some algorithm start from the principle that accounts may have been used to send SPAM, am I right?
This sounds good. In my company I'm very careful to analyze the amount of daily AUTHRELAY notifications is made on the servers. Any suspicious activity I blocking IP access and I tell my customer to take preventive measures (change email password / cpanel password, etc.), install a good anti-virus software and prevent access email on suspect computers.
Re: Prevent bad use of an email account (virus)
# Distributed SMTP Logins. This option will keep track of successful SMTP
# logins. If the number of successful logins to an individual account is at
# least LF_DISTSMTP in LF_INTERVAL from at least LF_DISTSMTP_UNIQ IP addresses,
# then all of the IP addresses will be blocked. These options only apply to
# the exim MTA
#
# This option can help mitigate the common SMTP account compromise attacks that
# use a distributed network of zombies to send spam
#
# A sensible setting for this might be 5, depending on how many different
# IP addresses you expect to an individual SMTP account within LF_INTERVAL
#