On Wednesday 12/12/2012 at 8:48 am, Ram wrote:
Our client's postfix servers are being frequently getting attacks
using compromised accounts
In most cases it seems the spammer simply uses a phished
username/password , sends a whole lot of 419ers until we manually
change the password , but the damage is already done
Implementing ratelimits is not really helping because ultimately the
mail will go through after the anvil time.
Since the legitimate users are extremely low email users , I can
safely block "anyone" permanently who sends more than 1 mail in 10s
with zero FP's
How can I do this ?
I use postfwd policy service for its sender-rate-limiting for both in
and out.
When a sender reaches a limit, postfwd passes HOLD action back to
postfix, and monit sends an alert email that hold queue is x size.
If a legit sender, I add them to postfwd sender whitelist.
If spammer, I change the cracked account's password and delete the
HOLDed spam. Several times, we have found find several 100K msgs in
HOLD queue.
postfwd has many other very useful envelope-filtering features.
Len
