[Mimedefang] OWA spam scripting attack

Scott Silva ssilva at sgvwater.com
Fri Oct 24 18:02:14 EDT 2008


on 10-24-2008 7:08 AM Todd Aiken spake the following:
> 
> 
> On 23/10/08 2:41 PM, "David F. Skoll" <dfs at roaringpenguin.com> wrote:
> 
>> Todd Aiken wrote:
>>
>> [Spammers send spam using stolen credentials via OWA]
>>
>>> Just wondering if anybody has any ideas at how to stop this from happening?
>> We've had a customer call about this.  One thing that might work is
>> rate-limiting outbound mail per sender.  For example, you could prevent
>> any given sender from sending more than 30 messages per 15-minute window.
>> Also (or alternatively), alert the admin when a sender exceeds his rate.
>>
>> If you can slow down the spammers enough (say they steal 100 accounts;
>> then they can only send 200 messages/minute which is probably way
>> below what they'd like to send) you might be able to minimize the
>> damage.
>>
>> This is very tricky to implement efficiently, relies on the validity of
>> the envelope sender (which, presumably, OWA can enforce) and may result
>> in some FP's.  But it's something we might look into.  Anyone want to
>> fund development? :-)
> 
> Wow, I never thought I'd open up such a can of worms.  :-)
> 
> Thanks everybody for the suggestions.  I thought of a way I could possibly
> slow things down for the spammer.  I noticed that the amount of mail in my
> Linux gateway's sendmail mail queue jumped way up shortly after the attack
> started.  I think I could write a short script to every five minutes check
> the number of messages in the queue, and if it jumps up to some higher than
> normal number, have the script notify me, then temporarily shut down
> sendmail.  This would allow me time to manually remove the bad messages from
> the queue before too many of them got through.  True it would stop all
> outbound messages from our site, but inbound would continue through our
> other MX gateway (the server that handles all outbound messages is a
> secondary MX), and since most of these attacks happen in the middle of the
> night, not much legitimate outgoing mail would be waiting to be processed.
> 
> Not the best solution because it requires manual intervention, but I think
> it would work in our case.
> 
> Now my problem is trying to convince sites like Microsoft to let us send
> mail to them again... I've already pleaded with them twice to unblock us, to
> which they reply back saying they have, but yet our mail still gets refused.
> 
> 
That is a good case for outgoing spam filtering for your organization. If you
don't stop it, you will get blacklisted. If you get blacklisted, your
organization might miss many important mails. I scan all outgoing and incoming
messages, and quarantine any hits so they are easily re-released if it is a
false positive, and they can be deleted or used as evidence if they aren't
false. Sure a user occasionally sends something that looks spammy, and I get
notified and can release it.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL: <http://lists.roaringpenguin.com/pipermail/mimedefang/attachments/20081024/576dc114/attachment.pgp>


More information about the MIMEDefang mailing list