ConfigServer Community Forum

Currently it appears that RT_AUTHRELAY_ALERT is tracking relayed emails by IP address.

However, most of the time when large amounts of email are coming through, it is due to spammers compromising a user account and sending from many different IP addresses. Because of the multiple IP addresses, RT_AUTHRELAY_LIMIT rarely ever gets exceeded and lots of spam gets through unnoticed.

What would be nice is if the tracking key for RT_AUTHRELAY used the smtp authentication id (found in the Exim log line in the A= section). That way, no matter how many IP addresses were sending the emails, they would all get counted towards the RT_AUTHRELAY_LIMIT.

Obviously CSF wouldnt be able to block the user account, but it would at least send the alerts.

Maybe a boolean option called RT_AUTHRELAY_ACCOUNT that tracks by user instead of IP? Or perhaps changing it altogether to use username?

Right now, this is the single biggest recurring problem we have that I wish csf could handle.

You could activate the SMTP Distibuted detection and block any access to that account with one of the ACTION Scripts.

I like the idea, and perhaps when csf gets the user id (email address) that is compromised, it can change the password for it to some random password. That would stop the spammers pretty much dead in their tracks. Then alert the admin that the password for user xxxx@domain.tld has been changed.

I was just looking to see if anyone had a script they could share that did just this. I know with CSF you can have a script fire off, it would GREAT if there was one or if Chirpy would add this to CSF.

Some script or built in that would do the following:

• 1 - Change the password or SUSPEND the account responsible
  2 - Purge all the emails in the QUEUE that are from the user.

Jim