Loading ...
Sorry, an error occurred while loading the content.

Re: Block ip address on ratelimit

Expand Messages
  • lconrad@go2france.com
    ... I use postfwd policy service for its sender-rate-limiting for both in and out. When a sender reaches a limit, postfwd passes HOLD action back to postfix,
    Message 1 of 4 , Dec 12, 2012
    • 0 Attachment
      On Wednesday 12/12/2012 at 8:48 am, Ram wrote:
      > Our client's postfix servers are being frequently getting attacks
      > using compromised accounts
      > In most cases it seems the spammer simply uses a phished
      > username/password , sends a whole lot of 419ers until we manually
      > change the password , but the damage is already done
      >
      >
      > Implementing ratelimits is not really helping because ultimately the
      > mail will go through after the anvil time.
      > Since the legitimate users are extremely low email users , I can
      > safely block "anyone" permanently who sends more than 1 mail in 10s
      > with zero FP's
      >
      > How can I do this ?
      I use postfwd policy service for its sender-rate-limiting for both in
      and out.

      When a sender reaches a limit, postfwd passes HOLD action back to
      postfix, and monit sends an alert email that hold queue is x size.

      If a legit sender, I add them to postfwd sender whitelist.

      If spammer, I change the cracked account's password and delete the
      HOLDed spam. Several times, we have found find several 100K msgs in
      HOLD queue.

      postfwd has many other very useful envelope-filtering features.

      Len
    • /dev/rob0
      ... Rate limits help a great deal if you use the right tool for the job; anvil(8) is not the right tool. As others suggested, postfwd is capable of this.
      Message 2 of 4 , Dec 12, 2012
      • 0 Attachment
        On Wed, Dec 12, 2012 at 08:18:34PM +0530, Ram wrote:
        > Our client's postfix servers are being frequently getting attacks
        > using compromised accounts
        > In most cases it seems the spammer simply uses a phished
        > username/password , sends a whole lot of 419ers until we manually
        > change the password , but the damage is already done
        >
        > Implementing ratelimits is not really helping because ultimately
        > the mail will go through after the anvil time.

        Rate limits help a great deal if you use the right tool for the job;
        anvil(8) is not the right tool. As others suggested, postfwd is
        capable of this. Another choice is policyd.

        > Since the legitimate users are extremely low email users , I
        > can safely block "anyone" permanently who sends more than 1
        > mail in 10s with zero FP's
        >
        > How can I do this ?

        I would check the SASL credentials, and when used in excess of your
        chosen time limit, reject or hold anything from that SASL user until
        manually reviewed. The choice of reject or hold depends on local
        considerations: do you want phone calls from a frustrated real user
        who inadvertently triggered the limit somehow? Do you want forensic
        evidence of the malware?
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      Your message has been successfully submitted and would be delivered to recipients shortly.