[Mimedefang] OWA spam scripting attack

Jan Pieter Cornet johnpc at xs4all.nl
Thu Oct 23 16:06:20 EDT 2008 

On Thu, Oct 23, 2008 at 02:41:37PM -0400, David F. Skoll wrote:
>> Just wondering if anybody has any ideas at how to stop this from happening?
> 
> We've had a customer call about this.  One thing that might work is
> rate-limiting outbound mail per sender.  For example, you could prevent
> any given sender from sending more than 30 messages per 15-minute window.
> Also (or alternatively), alert the admin when a sender exceeds his rate.

Yup, that's roughly what we do too. (Currently with a rather crude
ratelimiting method, though).

Other limitations that proved effective:

Log the "reply-to" and "From" addresses on phishes, and redirect those
in outgoing mail somewhere else (or just block them with an error
containing a URL to phishing info).

You should be able to find the remote IP operating the OWA in the
headers of the mails. MD can then use something like GeoIP to further
restrict mails sent from a foreign location, or from specific high-risk
locations. Or send alert mails...

> If you can slow down the spammers enough (say they steal 100 accounts;
> then they can only send 200 messages/minute which is probably way
> below what they'd like to send) you might be able to minimize the
> damage.

In my experience a lot of these scams (419, other advance fee fraud) is
sent manually, from eg a webcafé or dialup in Lagos. Some of it seems to
be scripted nowadays, but I haven't seen a lot of scripted attacks.

I used to go over the logs of some of these, and the timing definately
seemed to indicate someone doing "send-back-paste_new_recipients-send-
back-paste_more_recipients-send... coffeebreak... more sending"

> This is very tricky to implement efficiently, relies on the validity of
> the envelope sender (which, presumably, OWA can enforce) and may result
> in some FP's.  But it's something we might look into.  Anyone want to
> fund development? :-)

If you make it work in a cluster without introducing single points of
failure, we might very well do so. (Could even be part of that
mimedefang support contract you offered me a while ago ;)

-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs.  !!

More information about the MIMEDefang mailing list