On Wed 21/Aug/2013 02:42:39 +0200 Lindsay Haisley wrote: > On Tue, 2013-08-20 at 13:59 -0700, Nick Ellson wrote: >> It appears that the main issue was that my account credentials were >> compromised for a 1 month period, which loaded my system up with so >> much spam things would not function. This made the rest of it look >> very bad. > > I had this happen a while ago.
Me too... > I'm using a MySQL db for courier > authentication and had a clause in MYSQL_SELECT_CLAUSE written to deny > relaying for everyone unless they had a flag set in the db AND could > authenticate. I log each user's outgoing mail on a MySQL db, and automatically block users as described under "Log of outgoing messages" in http://www.tana.it/sw/zdkimfilter/zfilter_db.html Having a minuscule number of users, I was lucky enough to notice the anomalous traffic when it was still about the hundreds. Automatic blocking would have been triggered at 10000. Ten thousands is still a manageable number of files, but on hindsight I wouldn't have wanted to reach it. > Unfortunately, I hadn't updated MYSQL_SELECT_CLAUSE which > had been copied from a previous courier installation on another server > which didn't look at my auth flag. The result was that one of my > customers got her computer infected with a key-logger and her IMAP > credentials were used to pwn my SMTP server and send out huge quantities > of spam! My server got blacklisted! Do you mean you wouldn't have conceded the relay auth flag to that user of yours? Based on what, if you don't mind my asking? You may be able to estimate who is more likely to catch a key-logger, but there's no way to tell for sure... > Fortunately, courier logs the user IDs for authenticated SMTP access, > and places the same information in the Received header added by the SMTP > server. Here are three features that just come to mind: * Spamfilter on outgoing mail, * auto-honeypot rather than auto-block --useful to report abuse--, * per user limit on messages --the numeric equivalent of your flag-- possibly allowing users to set their limit for some limited amount of time. Thoughts? ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
