Hi Meaulnes, > But that user is still sending out tons of mails if I enable it again > (unchecking «Suspend» in the GUI), thousands in a couple of hours
Yeah, in that case it would be best to suspend him until the time that the user has cleaned up his infected PC. You've done some good work there identifying the problem. But we also do have some software that can help with identifying, warning about and limiting the effect of the problem: The AV-SPAM has an extra called Milter-GeoIP. This performs several functions: 1.) Check if senders of emails relaying through your server are from a list of allowed countries. If not, it's possible to block them from using your server to send emails. Accounts can also be automatically suspended if they are being used from blacklisted countries, as this would indicate a compromise of the account. Or a very prolific traveller. 2.) Vsite and User email quotas: Each Vsite (and User) can be configured to have an allowance of how many emails they may send through your server in a 24 hour period. If that quota is almost reached (75%), a warning is send to you and the user. If the quota is exceeded, then no more emails can be sent by that user (or the Vsite) for the rest of the day. Likewise Active Monitor will let you know about this. 3.) Milter-GeoIP keeps a very exact tally about how many emails a Vsite (and Users) have sent and received. So identifying a culprit is then as easy as going to "Active Monitor" and checking "Email Traffic Monitor". With these measures in place (and active!) you'll have an easy time to learn early on if some fishy email activity is going on and can then take further actions if need be. How this is configured? If the AV-SPAM v6.1.0 or v6.2.0 is installed: Go to "Network Settings" / "AV-SPAM" and see the "Services" tab. Milter-GeoIP should be enabled. In the "GeoIP" tab review the "Daily Limits for Email-Sending". You may want to adjust them to lower numbers. For very active Vsites (or individual Users) you can set them higher in the Vsite or User email settings of the respective Vsites and User management. Tick the checkbox "Enforce Email Limits". That will activate the feature that limits how many emails Vsites and Users can send per day. If you want to take it a step further to block that your server is used to relay emails from blacklisted countries? Review the Black- and Whitelisted countries and adjust the checkboxes to your liking. Then tick "Block Blacklist entirely" (if you want to block) or leave it off if you just want to get warned by Active Monitor. To allow a Vsite individual email traffic settings see "Site Management" / "Services" / "Email". To allow a User individual email traffic settings see "Site Management" / "User Management" / "User List" and click on the User in question. In both cases "Enforce Email Limits" must be ticked and the allowance can then be adjusted to your liking. If a user tries to send more emails than allowed, the SMTP service will send him a an error message that all SMTP clients can understand. The message is very clear and says something like "You already sent more emails today than you are being allowed to." The usual email clients will show this exact message to the end user, so there should be no confusion for him why he's unable to send more. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx