SPAM RATS

RAT-Auth

List Description

RATS-AUTH is a list of IP(s) that have been detected as engaged in, or part of a BEC (Business Email Compromise) attack. Generally this will not include dynamic IP(s), or CGNAT (shared) IPs. These are more static sources, or networks/systems operated or owned by those engaged in criminal behavior, including servers that have been compromised. Typically, this is VERY safe to use, and you should use it to block ANY authentication attempts, whether SMTP, IMAP, POP, or even other services such as SSH or XMPP.
If you need further help in mitigating Authentication Attacks, feel free to reach out.

October 5th, 2021 - Please be advised that a large increase of BEC and/or authentication attacks are occuring from large cloud providers such as Amazon, Google, Azure, Digital Ocean, and OVH. While we recognize that sometimes these IPS are operating for only a short time and are regularly re-assigned, the ongoing threats are real. Consider whether any of your customers should ever authenticate from those networks. Criminals MAY use these resources to bypass country authentication restrictions on your servers.

SpamRats! highly recommends the use of transparent two factor authentication (2FA) such as CLIENTID to protect your accounts.

Removal

Removal of IPs on RATS-AUTH is NOT automatic. Please reach out via the contact form, and you MUST prove that you are the owner/operator server, as shown in the 'rwhois' or SWIP for that IP Address. Be prepared to explain the activity, and what steps have been made so that it cannot occur in the future.

List Specifications

Intended to protect against various authentication attacks, rather than spam sources, these IP(s) are also often on the other SpamRats! lists as well. Usually only individual IP(s) are listed, not ranges, and only after actual abuse activity is seen. This is a SAFE list to use to protect all resources that require authentication.

Download / Install / Usage

You should not need to 'install' anything. Lookups should be the same as any other RBL lookup, other than you should query against the server name of 'auth.spamrats.com'.

Example Usage in Postfix

You should be able to use this natively in many email products, specifically to prevent authentication, including Postfix. For your convenience we have included an example configuration below. If you see anything that can be improved, or have other examples that we should post on this page, please use our contact form and let us know.

      submission inet n       -       y       -       -       smtpd
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_delay_reject=no
      -o { smtpd_client_restrictions = reject_rbl_client auth.spamrats.com=127.0.0.39, permit }
      -o { smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject }
	

Example Usage in Dovecot

Dovecot and it's derivatives are the most deployed systems for IMAP/POP and also at risk (even more so, as criminals use this method to access your private and personal information, contacts, banking information, as well as modifying emails that have already passed your security processes. If RATS-AUTH stops even the smallest amount of attacks, remember a single compromise can results in HUGE losses to your customer.

    PLEASE UPDATE
    

Many thanks to our Sponsors, Subscription Holders, Users and Contributors..