290025Re: Block ip address on ratelimit
- Dec 12, 2012On Wednesday 12/12/2012 at 8:48 am, Ram wrote:
> Our client's postfix servers are being frequently getting attacksI use postfwd policy service for its sender-rate-limiting for both in
> using compromised accounts
> In most cases it seems the spammer simply uses a phished
> username/password , sends a whole lot of 419ers until we manually
> change the password , but the damage is already done
> Implementing ratelimits is not really helping because ultimately the
> mail will go through after the anvil time.
> Since the legitimate users are extremely low email users , I can
> safely block "anyone" permanently who sends more than 1 mail in 10s
> with zero FP's
> How can I do this ?
When a sender reaches a limit, postfwd passes HOLD action back to
postfix, and monit sends an alert email that hold queue is x size.
If a legit sender, I add them to postfwd sender whitelist.
If spammer, I change the cracked account's password and delete the
HOLDed spam. Several times, we have found find several 100K msgs in
postfwd has many other very useful envelope-filtering features.
- << Previous post in topic Next post in topic >>