[Incident Report] SMTP Auth Abuse – Need Suggestions for Prevention - Enhance Control Panel

[Incident Report] SMTP Auth Abuse – Need Suggestions for Prevention

KHR

Hi, I wanted to report an incident that happened on my mail server today.

One of my client’s email accounts was compromised, and the attacker used SMTP authentication to send bulk emails. In total, around 5,500 emails were sent — each with 15 to 20 recipients, so the actual number of outbound messages was much higher in volume.

Rspamd’s rate limiting helped reduce the impact, but I still received a warning from the datacenter that the port 25 email sending limit was almost reached. I also received about 2,000 bounce messages (Undelivered Mail Returned to Sender), which made the situation worse.

I realize I need stronger preventive measures to avoid this kind of abuse in the future. I’d really appreciate it if anyone could share suggestions or best practices.

Thanks!

cPFence

KHR

Your rate limit settings were too high, which allowed so much spam to get through. Stick with the default Enhance limits:

Maximum SMTP messages: 200
Maximum website generated messages: 200

Those limits apply per hour and count each recipient separately. They’re strict enough to stop a hijacked account before it can do serious damage.

Under the hood, Rspamd uses the selector on each message to pick (or create) that user’s bucket and remove a token. If the bucket is empty, it soft-rejects the message with a 451 until tokens become available again.

Also make sure "Outgoing spam filtering" is enabled in each server's email settings, and get Rspamd properly trained. It adds another layer by rejecting spam outright, SMTP senders will get a clear error when their message is flagged.

Steamon

You can use the following method with spamexperts: https://documentation.n-able.com/spamexperts/userguide/Content/B_Admin%20Level/outgoing-filtering/postfix-sender-bsd-rout.htm

then sending limit will automatically kick in of spamexperts if you use postfix sender route method.

I have around 15 clients that use spamexperts and the rest enhance e-mail or office 365.

JohnB

2FA is great too. A leaked password is useless with 2 factor authentication.

KHR

JohnB 2FA is great too. A leaked password is useless with 2 factor authentication.

How can I protect SMTP ports with 2FA? They didn’t use Webmail but sent emails using SMTP (Port 25). If we had a limit for each user, this wouldn’t have happened. They sent 5,000 emails, and after hitting the limit, Rspamd rate limiting (set by Enhance) stopped them. We had to set a higher limit because Enhance doesn’t allow per-user limits, and some business users require lots of emails sent (Email Communication, No Bulk).

KHR

XN-Matt This is not possible at the moment, if ever.

I know, but JohnB suggested it, so I wondered if it might be possible.

XN-Matt

KHR This is not possible at the moment, if ever.

KHR

I found another issue in /etc/rspamd/local.d/ratelimit.conf

# local.d/ratelimit.conf

rates {
    # Selector based ratelimit
    smtp_auth_limit_hourly = {
      selector = 'user.lower';
      bucket = [
      {
        burst = 4900;
        rate = "4900 / 1h";
      }]
    },
    local_limit = {
      selector = 'header("X-Local-Userid")';
      bucket = [
      {
        burst = 1000;
        rate = "1000 / 1h";
      }]
    }
}

`rate = "4900 / 1h";` But in panel "The maximum messages a single IP can deliver per day."

gmakhs

KHR I think that was changed on the last update, check again the panel

XN-Matt

KHR Would be great... especially with a screen to show who is logged in from where (exposed to the user) so they could know if a user is compromised too.

KHR

gmakhs I think that was changed on the last update, check again the panel

No changes made; I have updated to the latest version, v12.6.0.

KHR

gmakhs I think that was changed on the last update, check again the panel

Yes, I see it now.

KHR

cPFence I could have enforced a strict rate limit, but we have some corporate clients who send a large volume of emails — including CC and BCC to 50+ recipients — and they operate up to 15 email IDs from a single IP. All of them use Outlook as their email client.

For our other clients, the email volume is minimal (10 emails per hour is Enough). So, the only reason I can’t apply strict limits globally is due to the corporate clients — unless Enhance introduces a per-user ID rate limit setting.

Another issue is that Roundcube uses a single private IP (10.169.0.3) for all users when sending emails. So in the logs and rate-limiting rules, it appears that all Roundcube users are coming from the same IP, which makes IP-based throttling ineffective in this case.

Know that, I’m using a single server for all email communications — no application or database servers are hosted here. Training is enabled and Working Well.

Please guide me, How can I enable outgoing spam filtering effectively under these conditions?

cPFence

KHR unless Enhance introduces a per-user ID rate limit setting.

The limits are already applied per SMTP sender (mailbox) not globally.

Go to Main Enhance CP > Servers > select your server > click the three dots top right > Email Settings.
Make sure the limits are set to a reasonable range for a single mailbox, and enable "Outgoing spam filtering".
Lastly, follow the Rspamd training guide I sent earlier to improve filtering accuracy.

KHR

cPFence The limits are already applied per SMTP sender (mailbox) not globally.

Great! After updating to 12.6.0, I see the changes. Hopefully, this will resolve incidents like this and prevent user abuse.

cPFence

KHR

These features have been there for a long time, not related to the latest update.

KHR

cPFence These features have been there for a long time, not related to the latest update.

It was previously IP-based, so we couldn't implement a 200-mail limit for our clients' use case. See the screenshot of the last version:

This is the latest version 12.6.0:

cPFence

KHR

I see what you mean , they likely just updated the wording to be accurate. As far as I’ve seen, it still modifies /etc/rspamd/local.d/ratelimit.conf, and I don't think anything actually changed there. Maybe @Adam can confirm if anything else was updated.

Aliysa_Enhance

cPFence The behaviour hasn't changed, the text has just been updated to reflect how it actually works.

KHR

cPFence I see what you mean , they likely just updated the wording to be accurate. As far as I’ve seen, it still modifies /etc/rspamd/local.d/ratelimit.conf, and I don't think anything actually changed there. Maybe @Adam can confirm if anything else was updated.

I was not aware that they had updated the mechanism under the hood. But yes, they made those changes in local.d/ratelimit.conf after v12 (as far as I remember). However, in the panel, it was written "The maximum messages a single IP can deliver per day," so I was confused.