We had an incident today where we had a user with a compromised machine. Their email/pass made it back to some botnet which proceeded to SASL auth to our mail servers and send numerous spam messages from many different hosts. The spamming hosts didnt trigger our smtpd_client_recipient_rate_limit setting, because of the many different hosts (all with the same SASL user authenticated) that they used.
This got me wondering if there's any easy way to have anvil report stats based on the authenticated SASL username, in addition to the remote IP address? This would help me prevent/monitor potential addresses that are being used by a botnet system to relay mails through my mail server. Or even better if there was a way to make a similar feature like the "smtpd_client_recipient_rate_limit" setting that'd match/restrict/prevent based on the authenticated SASL username? Thoughts? Suggestions? Thanks, -c
