On 08/05/12 20:09, Dino Ciuffetti wrote: >>> Thanks Sam, never had to look at this stuff before. We had a >>> phishing spam where just one client answered with her auth >>> details and in about 8 hours 660K spams were sent via her >>> account before I manually blocked the sending IP and cancelled >>> the mailq messages. Normal users would never be sending at 80K >>> per hour... >>> >>> Anyone have any suggestions how to prevent this kind of abuse? > >> There's nothing there that can be readily used for something like this. >> I suppose one can hack up a perlfilter script that counts messages from >> each authenticated user. > > I use fail2ban (http://www.fail2ban.org/) for that purpose. > You can set your log line regexps, and it works!
I'm not sure how fail2ban could work with outgoing mail as it would need to track all connection IPs and watch for the number of delivered per user and then if that rate hits a limit then decide which was the originating IP and do an iptables block. I know it's pretty good at doing this with logfiles that contain the incoming IP per line but in this case the IP is going to be way back in the logfile, and that's assuming that the logfile hasn't been rotated. My brief episode with Plesk and postfix showed they used something called policyd for this purpose, http://policyd.org/content/features "This policy daemon is designed mostly for large scale mail hosting environments. The main goal is to implement as many spam combating and email compliance features as possible while at the same time maintaining the portability, stability and performance required for mission critical email hosting of today." So Sam, would it be possible to use, say, the BACKSCATTER facility to have an idea what message-id was associated with which IP? Or, can you suggest anything in courier that I could get access to that would match message-ids to IP? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
