On Thu, Mar 14, 2013 at 11:47:18AM +0000, Elaconta.com Webmaster wrote: > Elaconta.com Webmaster wrote: > >Benny Pedersen wrote: > >>Elaconta.com Webmaster skrev den 2013-03-14 11:48: > >> > >>>Specifically, if a user sends 100 emails and more than 25 of those > >>>are send to non-existing users, disable email relaying for that user > >>>for half an hour, for instance. > >> > >>i say reject_unverified_recipient one more time > >> > >>should i give links to pypolicyd-spf ? > >> > >>sending 100000000 emails does change spf records ? > >> > >>if you want another way of solving use rsyslog with sql query > >>from tempfails/hardfails on random recipient domains, and from > >>that sql logs block that sender local that spammed to it, > >>impossible to use reject_unverified_recipient or just ignoreing > >>the problem ?
> >I'll look into reject_unverified_recipient, thanks for your > >insight. That's abusive toward other sites. I wouldn't recommend that. > Also for more clarification: We require authentication for all of > our email users, and have hourly email sending quotas in place. I don't think your quotas are strict enough, and rather than being renewed hourly, perhaps it should be a one-time trigger to block all further sending by those credentials. Bear in mind that these aren't your users sending mail to their friends -- this is malware which has seized your users' machine and is using their stored credentials to spew spam to victims. Yes, you will inconvenience your users, but surely their malware has violated their ToS? (Rewrite your ToS if necessary. Hold users accountable for such abuse.) > But there's nothing stopping auth'ed users from sending emails to > lots of non-existent users, and that affects the email server's > reputation negatively. Once abuse has occurred, you can bet more will follow. Don't allow spew to continue. > Hence our trying to reduce to amount of emails send to non-existent > emails. I think you'd also find that URIBL content filtering of submitted mail very effective. This malware almost always tries to get victims to look at spammy links. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
