Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Catching outgoing spam / blocking account
  •  
modezeroltd

Messages: 15
Karma: 0
Send a private message to this user
One of our users had their login details compromised and thus their account was used to send a lot of spam from Kerio Connect. This had the predictable effect of getting the server blacklisted in various locations, adversely affecting all other users.

To minimise the chance of this happening again, I'd like to implement some checking of outgoing email. Either blocking spam, checking for spam and blocking the account completely, or a even a detection of abnormal usage (e.g. too many sends in 60sec period).

To my knowledge, this sort of thing isn't supported in Kerio, and my brief search of the forum has drawn a blank. The only option I can see is to add another device to the network to do the content filtering on outgoing mail.

Can Kerio Connect help me out here? Have I missed something? It seems a bit backward to not use the Kerio anti-spam filtering I've already paid for.
  •  
Vicky

Messages: 656

Karma: 82
Send a private message to this user
Hi Modezeroltd,

You may want to read up on Kerio Connect 8.2. We have a new Anti-Spoofing feature:

http://kb.kerio.com/1491

Also you can use settings in the WebAdmin->Configuratation->SMTP Server->Security Options. There are a few IP based limits you can put in place that can help prevent hackers being able to do as much damage if they were to get into your system again. I would recommend 'Max number of unknown recipients (directory harvest attack protection)' to be enabled as this can really help.

I hope this helps,
Vicky
  •  
modezeroltd

Messages: 15
Karma: 0
Send a private message to this user
Hi Vicky, thanks for your advice.

I will upgrade to 8.2 and take advantage of anti-spoofing. However, that wouldn't have helped me in this case as the emails were being sent by an authenticated user with their own from identity.

I've put a limit on concurrent SMTP connections from a single IP, but can't set the limits on message quantity as some clients send large volumes of emails legitimately. "Max number of unknown recipients" was already set, however in my case emails were being sent to individuals, so this protection wasn't triggered.

As you haven't mentioned it, I guess there's no way to do an outgoing spam check. Not even possible by some sort of convoluted configuration where I listen on a different port and use that as a relay server which checks for spam?

Also, am I correct that blocking of accounts only extends to failed authorisation attempts?

Thanks,

Ben

[Updated on: Wed, 09 October 2013 10:19]

  •  
Vicky

Messages: 656

Karma: 82
Send a private message to this user
Hi Ben,

Sadly no we do not have an outgoing filter, the SMTP security options are the only thing we have that can help with outgoing protection along with the anti-spoofing in 8.2.

When you block an account or disable an account then this will stop people from logging in or the account receiving email. Which setting are you referring to for 'blocking' the account?

All the best,
Vicky
  •  
modezeroltd

Messages: 15
Karma: 0
Send a private message to this user
Ideally, an account would be locked out if it was seen to be sending too many spam messages. This wouldn't stop email being received, but it would prevent the user from logging in to their account until the administrator had removed the block.
  •  
Vicky

Messages: 656

Karma: 82
Send a private message to this user
Hi Ben,

There is one option that could help prevent this is 'Directory Harvest Attack Protection'. You can find this under Configuration->SMTP Server->Security Options. This would then block the senders IP address for 1 hour but the offending email account would still be able to receive email.

I hope this helps,
Vicky
  •  
modezeroltd

Messages: 15
Karma: 0
Send a private message to this user
The account in question was sending email outside of the organisation, so not a directory harvest attack.
  •  
Vicky

Messages: 656

Karma: 82
Send a private message to this user
Hi Ben,

I see, the only thing we really have is the anti-spoofing feature now (you may want to consider SPF records to help with validation for other mail servers). We can't use the spam assassin plugin for outgoing email etc... So you could always list a suggestion to improve the outgoing spam prevention within Kerio Connect (WebAdmin->Suggest Idea).

All the best,
Vicky
  •  
skerkvli

Messages: 7
Karma: 0
Send a private message to this user
I would like to 2nd the need to limit the number of e-Mail from a users account, rather than their IP. I just had a user's account pw compromised and over 18,000 e-Mails later, found out about it. The spam system was smart enough to send spam from more than 1 ip. It was sending about 1,000 per hour from lots of IP addresses from the one user account. Thus the security feature to limit the number of e-Mail from a single IP address did not help. If there was a way to set the maximum number of e-Mails sent by a user, it would have at least stop the horrific mass mailing of spam. Now I get to go deal with getting off the blacklists.
  •  
vomsupport

Messages: 136
Karma: 2
Send a private message to this user
We had to go to Barracuda to control outgoing mail..
Previous Topic: Limit The number of emails sent by user (infinite loop)
Next Topic: Kerio Connect and OpenSSL vulnerabilty CVE-2014-0160 (Heartbleed)
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Oct 20 23:28:33 CEST 2017

Total time taken to generate the page: 0.00431 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.