What to do with abuse detection notifications?
Question asked by Andrew Stein - 4/13/2015 at 11:49 AM
Every day, I get about multiple abuse detection alerts, usually SMTP brute force warnings.   Is there anything I should be doing with that information?  Update ACLs with the IPs, for example?

2 Replies

Reply to Thread
Scarab Replied
We get on avg 720 Brute-Force, 160 DoS, and 15 Harvester warnings per day. Being OCD I do the following:
  1. Enter the IPs into a database, although a spreadsheet would suffice (keep it for at least 90 days as Spammers cycle through the same IP Ranges once a month, once every other month, once every 3 months, and once every 6 months depending on the spambot net).
  2. I then lookup the IP Range, Network Owner, Country and rDNS for each entry (best to script this out for a large number, otherwise you can use online tools or Linux cmds using Cygwin, or Windows utilities such as SolarWinds Advanced Subnet Calculator to do this manually)
  3. Once I get abuse from 3 or more IPs in the same IP Range I do a Senderbase Reputation Lookup (http://www.senderbase.org/). If the entire IP Range is Poor then I add them to my Smartermail Blacklist. If some are Neutral or Good and only the /24-/29 CIDR Block is Poor then I Blacklist just that range. If there is a mix then I just let the RBLs sort them out.
  4. Once I get Abuse from 3 different IP Ranges for the same Network Owner I lookup all IP Ranges assigned to them and repeat #3 for all of their IP Ranges, not just the ones hitting me (there are some Network Owners that specialize in nothing but Spam and are more than safe to block).
  5. Once a month I review the rDNS for all entries to find common EHLO wildcards I can use in Smartermail's SMTP Blocked Senders, and look at the Countries by percentage to determine which Countries I need to add a targeted Custom Filter or RBL for.
All in all it takes about 3-4 hours a week for our Abuse load to do this and after a year we are now blocking @ 16,000,000 connections a day by this method.
I strongly wouldn't recommend doing this if you have a similar load as we do (as you'd have to be both crazy and masochistic), but for a couple alerts a day it would be less than a minute or two of work and may pay off.

Note: Brute Force Alerts are generally caused by Bot-Nets of compromised computers and WordPress websites. They usually follow no rhyme or reason or pattern and as such there is little return in tracking/blocking them (with the exception of small handful of Bot-Nets that use the same EHLO). Harvester Alerts 90% of the time are duplicates of DoS Alerts. You could probably safely focus on just the DoS Alerts and save yourself a lot of time.
Andrew Stein Replied
Thanks. We run a low-traffic server and the the vast majority are SMTP brute force alerts. As far as I can tell, no one's email has been compromised and I enforce strict passwords. Still, I'm thinking about tracking IPs and just blocking them in an ACL if I see them pop up enough.

Reply to Thread