In my experience, anti-spam is a combination of methods. Filtering outgoing traffic is difficult, especially if spammers don't send worldwide, but in their own country and language. Smart spammers do cleanup their lists and do not include links, but keep in mind: they need volume while normal users don't.
Implement recipients rate per day for each account (not messages and not authentications). It should affect their mass mailing. A normal user or employee has no need to contact 200 - 300 recipients in one day. If they do, you may consider the number of recipient domains instead. Compare successful deliveries (per sender) vs hard bounces (non-existing recipients and domains). <= 1% should be enough to trigger an action. Obtain spammed recipients at popular providers from your logs (@yahoo, @gmail etc.) and set them as spam traps in your system covering the whole alphabet and numbers. Once a trap address (or a combination of traps) is hit, block the sender or hold the messages. -----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Chuck Peters Sent: Saturday, April 18, 2015 9:17 PM To: postfix-users@postfix.org Subject: Blocking compromised accounts (outgoing spam) and auth cracking I'm researching migrating some Exim servers to Postfix and would like to implement automatic blocking of compromised and spammers' accounts with notifications to staff. Any suggestions? On the Exim user list today someone suggested https://github.com/Exim/exim/wiki/BlockCracking. Blocking compromised accounts (outgoing spam) and auth cracking Nowadays users' passwords often are stolen (with drive-by exploits, Windows malware, phishing) and used for spamming. Spam sent with authentication via your server causes it to be blacklisted without notice and sometimes no appeal. Simple rate limiting authenticated users constrains honest users while still allowing spam to trickle through, your server still ends up in blacklists. Each server needs automatic detection and blocking of compromised accounts (stolen passwords). I amended and implemented (for Exim version 4.67 or higher) Andrew Hearn's idea to check not rate of messages or all recipients, but rate of attempts to send to nonexistent recipient email addresses. Vast majority of spammers never try to validate every recipient address. Spammers harvest strings looking like email addresses from webpages and disks of trojaned Windowses, then sell huge lists of email addresses to each other. These lists contain very much email addresses which don't exist anymore or never existed: Message-Ids, corrupted strings in memory and files. In short, spammers' lists of email addresses are much dirtier than lists honest users send to. Honest users are very unlikely to attempt to send to 100 nonexistent email addresses in one hour. Below I explain in detail (for novices at Exim) what to change in Exim config for automatic blocking of compromised and spammers' accounts, with automatic email notification to sysadmin or your abuse or support staff. ... Thanks, Chuck
