SMTP mass mailing interception

azurtem · February 6, 2016, 8:08am

Hi

I have a client site that got blocked by their ISP because of mass mailing attempt (>10000)

This attempt was apparently executed using a legitimate user’s account

If the attempts weren’t using our ISP’s SMTP server it would be easy to detect and prevent

I was wondering if anyone had any ideas or tools that could help prevent this type of situation at the upstart ?
Or at the very least detect it while it is happening

At the router level I suppose I could setup a netwatch script to react if there were a certain number of smtp connections within a short period of time

thanks
yann

inteq · February 9, 2016, 5:08am

The client has his own Mail Server? Or he uses the ISP one?
If he has his own, just block all outgoing on tcp 25, 587 to all other destinations but his SMTP Server IP and filter/tarpit from there.
You can also monitor outgoing connections on 25 and 587 and if more than x connections in 1 minute, add to list and drop.
http://wiki.mikrotik.com/wiki/How_to_autodetect_infected_or_spammer_users_and_temporary_block_the_SMTP_output

azurtem · February 9, 2016, 7:07pm

ISP Mail server

Thanks