From owner-freebsd-questions@FreeBSD.ORG Sun Mar 24 13:30:19 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A389397A for ; Sun, 24 Mar 2013 13:30:19 +0000 (UTC) (envelope-from Lena@lena.kiev.ua) Received: from lena.kiev.ua (lena.kiev.ua [82.146.52.81]) by mx1.freebsd.org (Postfix) with ESMTP id 73567AC4 for ; Sun, 24 Mar 2013 13:30:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lena.kiev.ua; s=3; h=Content-Type:Mime-Version:Message-ID:Subject:To:From:Date; bh=rIsAWwRhcKdpfPeV32kV+h+OdKGrqJvrCxm3vt9QTfI=; b=TGUQcxR2X7e6ZkahN+viwbDmXP+SFyTPZ9TlzRiqFDDiIJBHaH9FoP2fy+UvTJS5ezzCeCvnttbD3/D6J6C08GnROgqdhCRdYnrHowx8Ri9j1WuTHxxw2+T8eq4XIIueb7XOqW+fG3aXFKgeh77rk18Za5X+yNapGZ3lWCmOIaE=; Received: from ip-384c.rusanovka-net.kiev.ua ([94.244.56.76] helo=bedside.lena.kiev.ua) by lena.kiev.ua with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1UJl04-0005fE-GX for freebsd-questions@freebsd.org; Sun, 24 Mar 2013 15:30:17 +0200 Received: from bedside.lena.kiev.ua (localhost.lena.kiev.ua [127.0.0.1]) by bedside.lena.kiev.ua (8.14.6/8.14.5) with ESMTP id r2ODU5Dq001916 for ; Sun, 24 Mar 2013 15:30:05 +0200 (EET) (envelope-from Lena@lena.kiev.ua) Received: (from lena@localhost) by bedside.lena.kiev.ua (8.14.6/8.14.5/Submit) id r2ODU5qE001915 for freebsd-questions@freebsd.org; Sun, 24 Mar 2013 15:30:05 +0200 (EET) (envelope-from Lena@lena.kiev.ua) Date: Sun, 24 Mar 2013 15:30:05 +0200 From: Lena@lena.kiev.ua To: freebsd-questions@freebsd.org Subject: Re: Client Authentication Message-ID: <20130324133005.GA913@lena.kiev> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2013 13:30:19 -0000 Doug Hardie wrote: > my outgoing mail server is being systematically attacked to try > passwords looking for one that works. When they do find one, > we get inundated by spam sent through that account throughout the world. How such spam is injected into your mail relay - via SMTP? > most of our users are older and their computer is a hand-me-down > so they can talk to their grandchildren. > our users tend to travel a lot and need to be able to access mail > from anywhere. I bet that most of your users use Windows, many are clueless. So, many will click a link in a letter from a known sender if the letter contains nothing more than a link and the sender's correct signature, possibly with a correct sender name or a few very generic words added in Subject or body. Links in such spam lead to drive-by exploit kits such as Blackhole which silently (without user consent) install password-stealing trojans such as ZeuS or SpyEye in user's Windows. These trojans also are stealing FTP passwords (many webmasters use Windows too), it's how the felons make pages they link to (on legitimate websites), so content-filtering of such spam fails. Stolen yahoo, AOL, MSN webmail passwords are used for sending such spam via the webmail interface (with correct hostname, SPF, DKIM) to addresses harvested from the user's webmail interface's address book and Sent and Inbox folders. Also, some of your users will yield to phishing. Strong (long, complicate, unique) passwords are stolen with Windows trojans and phishing as easily as weak ones. You can block brute-force password guessing, but you cannot prevent password stealing by Windows trojans and phishing. Unfortunately, you cannot force your users to use FreeBSD or some other free operating system instead of Windows. But travelling users do need to send mail via SMTP. Passwords are stolen along with username, relay hostname and port. Second factor authentication for SMTP is more difficult in practice than for HTTP. So, you need to block _using_ stolen passwords by spammers. My implementation is for Exim (instead of Postfix or sendmail): https://github.com/Exim/exim/wiki/BlockCracking It also blocks brute-force password guessing via SMTP, but that's a side benefit. Lena