Spam Filter ISP Forums : SMTPAUTH HACKED

Spam Filter ISP Forums : SMTPAUTH HACKED https://www.logsat.com/spamfilter/forums/ Wed, 10 Jun 2026 14:37:00 +0000 Wed, 07 May 2014 17:24:44 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 11.04 360 https://www.logsat.com/spamfilter/forums/RSS_post_feed.asp?TID=7077 <![CDATA[Spam Filter ISP Forums]]> https://www.logsat.com/spamfilter/forums/forum_images/web_wiz_forums.png https://www.logsat.com/spamfilter/forums/ <![CDATA[SMTPAUTH HACKED : Would be good to have some limits...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14603&title=smtpauth-hacked#14603 Author: WebGuyz
Subject: 7077
Posted: 07 May 2014 at 5:24pm

Would be good to have some limits but doesn't help a lot if it starts at 2am and you wake up to find yahoo.com and gmail.com will no longer accept emails from you because of the thousands of spams that been pushed.

Been working on a more automated solution since a lot of these attacks occur in the wee hours of the morning.

Have a vb script that runs continuously in a loop with a 60 second delay. It reads in the SFI log file and uses Dictionary component to keep track of IP's and Senders addresses and number of emails sent.

If a user sends more then 150 emails in 1 minute we read in the password file and remove the authenticated email address.

We then use MS firewall CLI commands in our script to block that IP immediately. These 2 steps nip the spamming in the bud. if a valid customer happens to send more then 150 emails in 1 minute then we just apologize and unblock his IP and add his email address back in the password file.

The speed in which spammers can pump out spam is incredible and manual methods are too slow.

if you could find a way to automatically limit an IP when it get detected sending thousands of emails in a short period then the world would beat a path to your door :-)]]> Wed, 07 May 2014 17:24:44 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14603&title=smtpauth-hacked#14603 <![CDATA[SMTPAUTH HACKED : You can see what sessions are...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14602&title=smtpauth-hacked#14602 Author: LogSat
Subject: 7077
Posted: 07 May 2014 at 5:01pm

You can see what sessions are active from the "Connections" tab in SpamFilter. From there clicking on the "X" on the last column ("Kill") will disconnect that session immediately.

There are currently no parameters to limit the number of emails an authenticated user can send. You have a very valid argument for adding an option to impose a limit - we'll work on this shortly.

FYI if you don't see entries in the "Connections" tab make sure the "Disable Conns Grid" option under the main Settings-Configuration tab is not checked.

]]> Wed, 07 May 2014 17:01:49 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14602&title=smtpauth-hacked#14602 <![CDATA[SMTPAUTH HACKED : Is there any way to kill a session...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14601&title=smtpauth-hacked#14601 Author: WebGuyz
Subject: 7077
Posted: 07 May 2014 at 7:30am

Is there any way to kill a session short of restarting SFI? What settings in global options would force these type spam attacks to have to authenticate more often.

We monitor the SFI log and if we see anyone sending more then 100 emails in 2 minutes we remove that email address from the auth password file, but in a case like this a lot of spam would still would get thru. We need to have them try to authenticate more frequently so they would stopped.

]]> Wed, 07 May 2014 07:30:37 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14601&title=smtpauth-hacked#14601 <![CDATA[SMTPAUTH HACKED : No issues had been found. A user...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14598&title=smtpauth-hacked#14598 Author: LogSat
Subject: 7077
Posted: 05 May 2014 at 12:30pm

No issues had been found. A user appeared to have their SMTP password compromised, and a spammer was using that account to relay email. They kept an open/connected SMTP session which was using to send the spam. Deleting the user from the Unix passed file will prevent the user from performing further SMTP AUTH logins, but the current SMTP session is not disconnected, so they kept spamming for a while. There were also tens of thousands of emails in the SpamFilter queue, so the outbound traffic actually continued (emptying the queue) even after the spammer was unable to login any further.]]> Mon, 05 May 2014 12:30:57 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14598&title=smtpauth-hacked#14598 <![CDATA[SMTPAUTH HACKED : Was there any resolution to this....]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14597&title=smtpauth-hacked#14597 Author: WebGuyz
Subject: 7077
Posted: 05 May 2014 at 11:44am

Was there any resolution to this. We use Unix SMTP Auth and are interested if there is any problem with it.]]> Mon, 05 May 2014 11:44:36 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14597&title=smtpauth-hacked#14597 <![CDATA[SMTPAUTH HACKED : Sure - I had sent you a private...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14582&title=smtpauth-hacked#14582 Author: LogSat
Subject: 7077
Posted: 02 April 2014 at 12:30pm

Sure - I had sent you a private message on the forum a few days ago with the password and URL for our cloud area. I just re-sent it to you. If you check your profile here on the form account you should be able to see the PM notifications.]]> Wed, 02 Apr 2014 12:30:26 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14582&title=smtpauth-hacked#14582 <![CDATA[SMTPAUTH HACKED : Sorry,the file dimension is too...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14581&title=smtpauth-hacked#14581 Author: alfaproject
Subject: 7077
Posted: 02 April 2014 at 11:29am

Sorry,

the file dimension is too big to send you by email.

Could I put it on your cloud folder?

Please, could you give me access credentials?

Thnaks.

Regards.

]]> Wed, 02 Apr 2014 11:29:08 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14581&title=smtpauth-hacked#14581 <![CDATA[SMTPAUTH HACKED : Hi,I'm mailing you the wireskark...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14580&title=smtpauth-hacked#14580 Author: alfaproject
Subject: 7077
Posted: 02 April 2014 at 11:25am

Hi,

I'm mailing you the wireskark report.

It seems there is nothing strange in it.

Please, tell me if you need other details.

Many thanks.

Regards.

]]> Wed, 02 Apr 2014 11:25:33 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14580&title=smtpauth-hacked#14580 <![CDATA[SMTPAUTH HACKED : We've confirmed that the...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14579&title=smtpauth-hacked#14579 Author: LogSat
Subject: 7077
Posted: 31 March 2014 at 7:46pm

We've confirmed that the users who login with SMTP AUTH will be whitelisted bypassing any BL IP checking.]]> Mon, 31 Mar 2014 19:46:07 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14579&title=smtpauth-hacked#14579 <![CDATA[SMTPAUTH HACKED : SMTP AUTH is one of the commands...]]> https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14578&title=smtpauth-hacked#14578 Author: LogSat
Subject: 7077
Posted: 31 March 2014 at 2:02pm

SMTP AUTH is one of the commands that can be transmitted over SMTP, so there are no configuration settings like timeouts or SSL that can be configured just for that.

SSL can certainly be enabled for SpamFilter, but you would not be able for example to force SMTP AUTH to use the SSL port you configured. SMTP AUTH would still be available on the non-SSL port.

I'll update the post shortly to confirm or not whether the SMTP AUTH whitelisting will bypass the BL IP checking - I'm not certain at the moment without testing this in the lab. This has never been an issue in the past so it's not a common question.

We'll wait for your debug report as I'm hoping it will have the info we need to determine what is happening.

]]> Mon, 31 Mar 2014 14:02:50 +0000 https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7077&PID=14578&title=smtpauth-hacked#14578