[Mimedefang] OWA spam scripting attack

Todd Aiken todd.aiken at UBishops.ca
Fri Oct 24 10:08:21 EDT 2008 



On 23/10/08 2:41 PM, "David F. Skoll" <dfs at roaringpenguin.com> wrote:

> Todd Aiken wrote:
> 
> [Spammers send spam using stolen credentials via OWA]
> 
>> Just wondering if anybody has any ideas at how to stop this from happening?
> 
> We've had a customer call about this.  One thing that might work is
> rate-limiting outbound mail per sender.  For example, you could prevent
> any given sender from sending more than 30 messages per 15-minute window.
> Also (or alternatively), alert the admin when a sender exceeds his rate.
> 
> If you can slow down the spammers enough (say they steal 100 accounts;
> then they can only send 200 messages/minute which is probably way
> below what they'd like to send) you might be able to minimize the
> damage.
> 
> This is very tricky to implement efficiently, relies on the validity of
> the envelope sender (which, presumably, OWA can enforce) and may result
> in some FP's.  But it's something we might look into.  Anyone want to
> fund development? :-)

Wow, I never thought I'd open up such a can of worms.  :-)

Thanks everybody for the suggestions.  I thought of a way I could possibly
slow things down for the spammer.  I noticed that the amount of mail in my
Linux gateway's sendmail mail queue jumped way up shortly after the attack
started.  I think I could write a short script to every five minutes check
the number of messages in the queue, and if it jumps up to some higher than
normal number, have the script notify me, then temporarily shut down
sendmail.  This would allow me time to manually remove the bad messages from
the queue before too many of them got through.  True it would stop all
outbound messages from our site, but inbound would continue through our
other MX gateway (the server that handles all outbound messages is a
secondary MX), and since most of these attacks happen in the middle of the
night, not much legitimate outgoing mail would be waiting to be processed.

Not the best solution because it requires manual intervention, but I think
it would work in our case.

Now my problem is trying to convince sites like Microsoft to let us send
mail to them again... I've already pleaded with them twice to unblock us, to
which they reply back saying they have, but yet our mail still gets refused.


CU L8R...

Todd A. Aiken
Systems Analyst - Administrator
ITS Department
BISHOP'S UNIVERSITY
Sherbrooke, Quebec, CANADA

HTML in email is like putting an air conditioner on a motorcycle.

More information about the MIMEDefang mailing list