Re: Methods to limit spam sent through compromised account?
- On Thu, Mar 31, 2011 at 07:51:43PM +0200, Ralf Hildebrandt wrote:
> > Are there any suggestions on how to tune postfix to limit the spamSounds reasonable, we have something like +200K mail accounts, and really,
> > throughput?
> > There are also legitimate users who have bulk email to send, so
> > limiting by recipient quantity (as we do on our webmail) wouldn't be
> > desirable.
> You probably need a policy server which limits the sender to a certain
> amount of mails per time unit. If that limit is being exceeded, you
> could either tempfail the mails until some human admin lifts the ban
> OR put the mails on hold.
only something like a dozen user told us they want to send mass-mail (well,
not spam but "legitime" one), all the others seems to be sending "some"
mails sometimes. So it can be a good rule, that most people won't send even
100 mails per hour "by hand", and if this limit is exceeded then it can be
some kind of non-reported mass mail sending (we can ask our customers to
tell us if they want to send more mails, so the limit for a user can be set
to a higher value), or some compromised account. Especially, I found it
useful to check the IP of the peer, if its not own IP address space, and not
even some other big ISPs nearby it's almost always spam. It's quite rare
that compromised user accounts are used to send spam from our IP pool (it's
another story that some customers have MTAs using us as relay, but they
forget their MTAs as open relay .........)