I also limit the number of recipients allowed on an out-going email.
This blocks bulk spammers since they tend to put a lot of addresses on 1
envelope.
The number allowed will depend on your user's typical patters.
Mine is pretty low (between 10-20) since we tend to have small project
teams.
Ron
On 06/12/2016 2:59 AM, Julian Kippels wrote:
Am Mon, 5 Dec 2016 20:52:21 -0500
schrieb Alex <mysqlstud...@gmail.com>:
Hi,
I have a postfix-3.0.5 system with a few hundred users. They have
access to submission, webmail, and dovecot to send and receive mail.
On occasion, user's local desktop are compromised, and with it their
account on this system. This leads to their local desktop using the
submission service to send hundreds or thousands of spam emails
through this compromised account.
They're only stopped after the user receives a ton of bounce messages,
or we happen to see it somehow while watching logs.
What mechanisms are available to say, control the number of messages
sent per day or otherwise be made aware of a pattern of messages being
sent by an account that could be indicative of account compromise?
Thanks,
Alex
Hi Alex,
I use a policy deamon that registers every mail that is sent by our
servers. The metadata is stored in a SQL Database. Every two minutes
a cronjob is run which checks the metadata for which sasl_sender has
send how many mails. If a sasl_sender surpasses a certain threshold the
cronjob automatically blocks this user in our LDAP so that he can't
submit any more mails.
--
Ron Wheeler
President
Artifact Software Inc
email: rwhee...@artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102
