On Mon, 2014-05-05 at 11:03 -0600, Mark Costlow wrote: > We've found that this approach works and is valuable, although it has > been tricky to determine what a "safe" number of IPs is to allow. In > particular, smartphones roaming around the city tend to look like they > are connecting from many IPs. We eventually changed the comparrison to > consider the number of /24 subnets the IPs were from, which helped. > (I.e. 172.14.89.2, 172.14.89.12, and 172.14.89.119, all > count as being from a single subnet).
Thanks to both you and the OP for sharing this interesting idea. I'll definitely keep this in mind. Here's a bit on a technique we've used: To quarantine phished accounts, we've implemented something that tracks the number of new recipients a given sender sends mail to. If that exceeds a limit over the last (i.e. rolling window of ) 72 hours, then we lock out the account. This works remarkably well. I don't think we've ended up on a block list since, and there have been very few false positives. We've hit a few people sending to 200 recipients from Outlook. We've been able to address that by moving them to a mailing list system, which I think is the right answer for that anyway. -- Richard
signature.asc
Description: This is a digitally signed message part
_______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang