Loading ...
Sorry, an error occurred while loading the content.

290025Re: Block ip address on ratelimit

Expand Messages
  • lconrad@go2france.com
    Dec 12, 2012
      On Wednesday 12/12/2012 at 8:48 am, Ram wrote:
      > Our client's postfix servers are being frequently getting attacks
      > using compromised accounts
      > In most cases it seems the spammer simply uses a phished
      > username/password , sends a whole lot of 419ers until we manually
      > change the password , but the damage is already done
      > Implementing ratelimits is not really helping because ultimately the
      > mail will go through after the anvil time.
      > Since the legitimate users are extremely low email users , I can
      > safely block "anyone" permanently who sends more than 1 mail in 10s
      > with zero FP's
      > How can I do this ?
      I use postfwd policy service for its sender-rate-limiting for both in
      and out.

      When a sender reaches a limit, postfwd passes HOLD action back to
      postfix, and monit sends an alert email that hold queue is x size.

      If a legit sender, I add them to postfwd sender whitelist.

      If spammer, I change the cracked account's password and delete the
      HOLDed spam. Several times, we have found find several 100K msgs in
      HOLD queue.

      postfwd has many other very useful envelope-filtering features.

    • Show all 4 messages in this topic