mouss wrote:
ram a écrit :
On Tue, 2010-03-16 at 15:40 +0100, Vegard Svanberg wrote:
Hi,
we are trying to mitigate the impact of having infected users, brute
force hacked webmail accounts etc. sending (larging amounts of) outbound
spam.
The best idea we've come up with so far is to perform outbound spam
filtering following these rules (it's a bit more complicated than this,
but this is the big picture):
- Spam scoring (Spamassassin). If spam:
- Put the mail on hold
- Add an iptables rule rejecting the IP
- Notify postmaster/abuse
Also,
* Implement ratelimits both inside postfix and in webmail
yes
* Have strong password policies
well, this is a lost battle...
* Sign up for Feedback loops and monitor the feedback address closely
this too.
* In webmail write scripts to alert you if someone adds a large
multiline signature
an this one too.
We tried blocking outbound spam using a commercial scanner but the FP's
are far too many to be used in production. So we just alert a human on
these spams and manually intervene if account needs to be blocked.
do you mean you read someone else's mail? I find this unacceptable.
Ofcourse some spams do get through by the time :-(
it's all about volume.
If you have a shared environment with a large number of virtual domains
I think that outbound spam filtering it's a must. No rate limits and
strong password will save you from being listed or banned.
Also in a virtual environment it's hard to put everyone to sign for a FBL.
If you said that it's all about volume and that is my case too, separate
the outbound from inbound use multiple outbound server (not necessary
hardware) but scan all outbound messages. For start you can hold the
messages and inspect them in order to tune you scanner.
My solution was to set multiple instance of postfix server ( as many
that is needed) on a separate machines an every instance use a content
filtering scanner (amavis-new + sa). Base on spam score and some custom
headers added by amavisd , postfix will pass/bounce/drop the message.
Let's say that we have tree levels - clear/spamy/spam. From my point of
view it's all about what you do with the spamy stuff.
