Blog , 03 May 2021

Abusix Mail Intelligence – Authentication IP List (AuthBL)

Steve Freegard,

Sr. Product Owner Abusix Intelligence

Welcome to Part 6 of our series of blog posts dissecting each of the datasets available as part of Abusix Mail Intelligence. This time we’re looking at our Authentication IP list (AuthBL).

How the Authentication IP List (AuthBL) is being built:

This list is 100% automated.  It is a subset of our “Exploit” list and we also add in IPs we see accessing our SSH and telnet honeypots.

The other difference is that this data uses a much shorter TTL (time-to-live) of 12 hours, this means we expire the IP addresses out of the zone after 12 hours from the last observation of it doing something bad.  

The short TTL is to avoid blocking users that might be on DHCP leases where they might inherit a blocked IP.

What is the Authentication IP List (AuthBL) designed for:

This list is specifically designed to help prevent your infrastructure from being abused and to catch and prevent compromised accounts from being accessed.

Typical use cases might be to check to see if the IP logging into your service is listed and accessing an account with a valid password, indicating that this account is likely compromised.  This can be used to either flag up potential compromises or to block access completely.

It should be safe for use with SMTP AUTH, SSH, Web Apps etc.

An example of the most basic use for AuthBL would be in Postfix – typically Abusix Mail Intelligence is checked after your own network ranges and SASL Authenticated hosts are allowed

(via permit_mynetworks and permit_sasl_authentcated_hosts).

For example:

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination reject_rbl_client <apikey>.combined.mail.abusix.zone

If you wanted to use the AuthBL to protect this server – you’d do it like this:

smtpd_relay_restrictions = <apikey>.authbl.mail.abusix.zone permit_mynetworks permit_sasl_authenticated defer_unauth_destination reject_rbl_client <apikey>.combined.mail.abusix.zone

Postfix will then reject any messages from being sent from any IP listed on the AuthBL. By extracting information from the Postfix logs, you should be able to determine if the SMTP session was authenticated and by which account and then automate this as you see fit. It’s really down to your imagination. I’ll try and create an example of  this in a future blog post.

Reasons for being listed our Authentication IP List (AuthBL):

Common reasons for being listed in the AuthBL:

  • Compromised or infected hosts (e.g. PCs, laptops, servers, routers, IoT devices)
  • Shared IP being used by Compromised or Infected hosts (e.g. VPN, NAT, TOR etc.)
  • In very rare cases, misconfigured SMTP servers
  • Hosts that have been observed logging into systems they should not be
  • Hosts that we have observed using other systems to send spam

Hope that is useful.

Until next time – stay safe.

Steve

Share
Linkedin Icon Twitter Icon Facebook Icon E-mal Icon
Two computer monitors showing AbuseHQ

Start Your Free Trial

Are you running your own mail servers and are looking for an additional layer of protection against spam, malware, and other email-related threats? Start your 14-day free trial today!

Get started

Products & Tools

Type

Topic

Get in touch

Talk to us

The quickest way to get in touch with the team is via our online chat feature at the bottom right of this page. Alternatively, feel free to email us at [email protected] or send us a message via our form.

Is your IP blocked?
To get that resolved, please use our lookup-service and follow the instructions in order to delist your IP/domain.