fixes in 2.0.1_RC0.5.14
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
fixes in 2.0.1_RC0.5.14
by Thomas Eckardt/eck
::
Rate this Message:
fixed in 2.0.1_RC0.5.14
- BATV-tag is added if the sender and the recipient are local accounts (Email Interface) - the report could not be sent - ( , , , , , , , ,) is shown in Blockreport lines - UserBlockReportInstantQueue.txt - Invalid argument; - because the base directory was added to the filename two times Thomas DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Assp-test mailing list Assp-test@... https://lists.sourceforge.net/lists/listinfo/assp-test |
|
|
|
|
|
Re: Identifying compromised accounts
by Alex Frunza
::
Rate this Message:
On 11/5/2009 6:15 AM, Scott MacLean wrote:
> I've just once again had to track down an account that had been > compromised on my server. The hapless user had malware installed on > his PC, it stole his SMTP password and we quickly found hundreds of > zombie PC's from around the world sending spam through my server via > SMTP AUTH. What's worse, all of the recipients of this spam are now > added to my whitelist, and it's polluted the corpus. > > I was thinking it might be easy to write something to parse the ASSP > logs on a regular basis and identify if a user is connecting via SMTP > AUTH from a lot of different IP's and sending a lot of mail to a lot > of different people. > > However, before I go ahead and write this - I thought I might try > using LocalFrequencyInt and LocalFrequencyNumRcpt. What values are Well I've never had a problem with stolen accounts, but small server here. Just in case (it can happen to anyone) I set it up to 100 messages / day / user. But only you can know how much traffic your users generate, and limit accordingly. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Assp-test mailing list Assp-test@... https://lists.sourceforge.net/lists/listinfo/assp-test |
|
|
Re: Identifying compromised accounts
by GrayHat
::
Rate this Message:
> I was thinking it might be easy to write something to parse the ASSP > logs on a regular basis and identify if a user is connecting via SMTP > AUTH from a lot of different IP's and sending a lot of mail to a lot > of different people. no need for that the latest 2.0 has a couple features which may help dealing with such issues; one is the "outbound frequency limiter" and the other the "bounce reporting" using both you may be able to detect and block "spamming critters" sending trash through your ASSP ;-) Also, the idea to parse logs and check IPs isn't smart; someone may just be a "road warrior" moving around with his laptop and connecting (and disconnecting) from the 'net so changing IP quite often and in such a case you'll be facing a lot of false positives the only way to go is the one currently used by 2.0 ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Assp-test mailing list Assp-test@... https://lists.sourceforge.net/lists/listinfo/assp-test |
|
|
Re: Identifying compromised accounts
by Scott MacLean-4
::
Rate this Message:
At 12:48 PM 11/5/2009, GrayHat wrote:
>no need for that the latest 2.0 has a couple features which may help >dealing with such issues; one is the "outbound frequency limiter" and >the other the "bounce reporting" using both you may be able to detect >and block "spamming critters" sending trash through your ASSP ;-) > >Also, the idea to parse logs and check IPs isn't smart; someone may >just be a "road warrior" moving around with his laptop and connecting >(and disconnecting) from the 'net so changing IP quite often and in such >a case you'll be facing a lot of false positives > >the only way to go is the one currently used by 2.0 I went ahead and wrote a script this morning that parsed the log. I think it's going to work quite well - I set it up to populate a SQL table with a 24 sliding window representation of user mail activity. The user who had their account compromised, in 24 hours had sent email to about 750 unique email addresses, coming from 386 different IP addresses. The next most prolific user on my server had sent email to 38 unique email addresses. The account with the highest unique IP addresses had mail coming from 7 different IP's. It's pretty obvious which account was sending spam, it stands out plainly from the other accounts. I've set up my script to run hourly, and send me an email if it sees an account with more than 50 unique email addresses or 15 unique IP addresses within the past 24 hours. I'm pretty sure this will help avoid this situation in the future. With a few thousand users, it's only a matter of time before one of them gets malware that steals their email login details and sends it to the spammers. It's happened three times in the past few months, and up until now, the only way I have found out is when I start getting complaints from other ISP's - or worse, MY users start to complain because their mail is being blocked by other mail servers after my server gets listed in an RBL. Hopefully, this will help me identify it before it becomes a problem, the next time it happens. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Assp-test mailing list Assp-test@... https://lists.sourceforge.net/lists/listinfo/assp-test |
|
|
Re: Identifying compromised accounts
by GrayHat
::
Rate this Message:
> to the spammers. It's happened three times in the past few months,
> and up until now, the only way I have found out is when I start > getting complaints from other ISP's - or worse, MY users start to with the new 2.0 features YOU will get notified before anyone else will start complaining and all this withouth any need for database queries or the like; did you look at them ? Thomas... may you chime in please :) ? ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Assp-test mailing list Assp-test@... https://lists.sourceforge.net/lists/listinfo/assp-test |
| Free embeddable forum powered by Nabble | Forum Help |
