From owner-freebsd-questions@FreeBSD.ORG Mon Apr 7 14:44:18 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9D1BC50E for ; Mon, 7 Apr 2014 14:44:18 +0000 (UTC) Received: from lena.kiev.ua (lena.kiev.ua [82.146.51.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 170C68D8 for ; Mon, 7 Apr 2014 14:44:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lena.kiev.ua; s=3; h=In-Reply-To:Content-Type:Mime-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=bjfGOiQZI5tk69MyLHbT1Lrj8Bw4tib1nRqBNB7Y0ss=; b=Yh10Z+fO++PBfKn4yQ/P7uoD+qWK3GU1sX58zwutLUmqfmaAxdajiHZ37URfJVkUZ3uOzkFiv1SoM1Sg1ROvxY5Muj6xhijYunz7nqTl2sQD8FPJIwKWaRCvqCF0ePPQ1u6TFYIQVBEogMS/BBv7qNDO4KNhz092kflFQG13ut8=; Received: from ip-384c.rusanovka-net.kiev.ua ([94.244.56.76] helo=bedside.lena.kiev.ua) by lena.kiev.ua with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.82 (FreeBSD)) (envelope-from ) id 1WXAms-000NJ6-UL; Mon, 07 Apr 2014 17:44:40 +0300 Received: from bedside.lena.kiev.ua (localhost.lena.kiev.ua [127.0.0.1]) by bedside.lena.kiev.ua (8.14.8/8.14.8) with ESMTP id s37Ei4GE005202; Mon, 7 Apr 2014 17:44:04 +0300 (EEST) (envelope-from Lena@lena.kiev.ua) Received: (from lena@localhost) by bedside.lena.kiev.ua (8.14.8/8.14.8/Submit) id s37Ei36Y005201; Mon, 7 Apr 2014 17:44:03 +0300 (EEST) (envelope-from Lena@lena.kiev.ua) Date: Mon, 7 Apr 2014 17:44:03 +0300 From: Lena@lena.kiev.ua To: freebsd-questions@freebsd.org Subject: Re: theft of 18,000,000 mail accounts and passwords Message-ID: <20140407144403.GF784@lena.kiev> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140406154313.GA3062@La-Habana> User-Agent: Mutt/1.4.2.3i Cc: Matthias Apitz X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2014 14:44:18 -0000 > The German Govermental Office about Security in Information informs that > the police got access to a database of 18,000,000 stolen mail accounts > how the criminals > could get access to this amount of mail accounts and passwords I think, mostly drive-by exploit kits (designed for Windows only, using vulnerabilities in Windows, browsers and their plugins - Java, Acrobat, Flash) steal stored passwords and install form-grabbing malware. Also phishing and checking for common passwords. > and if we > as FreeBSD users could be targeted by some of the methods. Yes, by some: checking for common passwords (like user john, password 12345 or user test, password test) via POP3 and SMTP. I invoke POP3 server (port mail/popa3d) from inetd with rate limiting: pop3 stream tcp nowait/0/5 root /usr/local/libexec/popa3d popa3d pop3s stream tcp nowait/0/7 root /usr/local/bin/stunnel stunnel /usr/local/etc/stunnel/popa3d.conf Here 5 and 7 are limits: connections per minute from the same IP-address. The limit often is triggered. For Exim - automatic blocking of such password-cracking attempts and automatic blocking of using stolen passwords for spamming, entirely in Exim config: https://github.com/Exim/exim/wiki/BlockCracking If you provide email service for users (not only yourself) then consider that most users use Windows, so their passwords will be stolen and used for spamming, it's just a matter of time. Therefore, you absolutely need automatic blocking of stolen passwords, else you'll be blacklisted. Simple ratelimits are better than nothing but inconvenience honest users and still allow spam to trickle through. Exim allows to use the abovelinked code to catch spammers early.