[Mimedefang] OWA spam scripting attack

Joseph Brennan brennan at columbia.edu
Thu Oct 23 15:35:59 EDT 2008


> We've had a customer call about this.  One thing that might work is
> rate-limiting outbound mail per sender.  For example, you could prevent
> any given sender from sending more than 30 messages per 15-minute window.
> Also (or alternatively), alert the admin when a sender exceeds his rate.
. . .
> This is very tricky to implement efficiently, relies on the validity of
> the envelope sender (which, presumably, OWA can enforce) and may result
> in some FP's.  But it's something we might look into.  Anyone want to
> fund development? :-)


The account used should be available.  With SMTP AUTH, it's in a
Sendmail variable.  We customized our webmail (IMP) in one line to
add a header showing what account was used, so we have it there too.
That's pretty important because the spammers do change the sender.
The spammers have many customers.  They send a few hundred of one spam,
a thousand of something else, some phishing to replenish the supply
of accounts, then a few hundred more of some other spam, and so on.

The spammers need to send to many recipients at once, hundreds, so
even on a per-message basis the spammers stand out from almost all
the other users.  Of that small subset of messgaes, the spammers
generally need to get replies, so next you look for From and Reply-to
set to other domains.  Again some legit mail matches, but now the
number of messages to consider is even smaller.

I think I like counting messages per sender, in addition, but I'm
not sure how it could be set low enough to help without blocking
normal activity.  If we start to get into lists of people who can
send a lot, it may get too complicated to deal with.

Joseph Brennan
Columbia University Information Technology





More information about the MIMEDefang mailing list