Welcome to Part 6 of our series of blog posts dissecting each of the datasets available as part of Abusix Mail Intelligence. This time we’re looking at our Authentication IP list (AuthBL).
How the Authentication IP List (AuthBL) is being built:
This list is 100% automated. It is a subset of our “Exploit” list and we also add in IPs we see accessing our SSH and telnet honeypots.
The other difference is that this data uses a much shorter TTL (time-to-live) of 12 hours, this means we expire the IP addresses out of the zone after 12 hours from the last observation of it doing something bad.
The short TTL is to avoid blocking users that might be on DHCP leases where they might inherit a blocked IP.
What is the Authentication IP List (AuthBL) designed for:
This list is specifically designed to help prevent your infrastructure from being abused and to catch and prevent compromised accounts from being accessed.
Typical use cases might be to check to see if the IP logging into your service is listed and accessing an account with a valid password, indicating that this account is likely compromised. This can be used to either flag up potential compromises or to block access completely.
It should be safe for use with SMTP AUTH, SSH, Web Apps etc.
An example of the most basic use for AuthBL would be in Postfix – typically Abusix Mail Intelligence is checked after your own network ranges and SASL Authenticated hosts are allowed
(via permit_mynetworks and permit_sasl_authentcated_hosts).
For example:
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination reject_rbl_client <apikey>.combined.mail.abusix.zone
If you wanted to use the AuthBL to protect this server – you’d do it like this:
smtpd_relay_restrictions = <apikey>.authbl.mail.abusix.zone permit_mynetworks permit_sasl_authenticated defer_unauth_destination reject_rbl_client <apikey>.combined.mail.abusix.zone
Postfix will then reject any messages from being sent from any IP listed on the AuthBL. By extracting information from the Postfix logs, you should be able to determine if the SMTP session was authenticated and by which account and then automate this as you see fit. It’s really down to your imagination. I’ll try and create an example of this in a future blog post.
Reasons for being listed our Authentication IP List (AuthBL):
Common reasons for being listed in the AuthBL:
- Compromised or infected hosts (e.g. PCs, laptops, servers, routers, IoT devices)
- Shared IP being used by Compromised or Infected hosts (e.g. VPN, NAT, TOR etc.)
- In very rare cases, misconfigured SMTP servers
- Hosts that have been observed logging into systems they should not be
- Hosts that we have observed using other systems to send spam
Hope that is useful.
Until next time – stay safe.
Steve
