> On Feb 2, 2019, at 4:36 PM, Scott Lambert <lamb...@lambertfam.org> wrote: > > On Sat, Feb 02, 2019 at 11:46:35AM -0500, micah anderson wrote: >> SH Development <listacco...@starionline.com> writes: >> >>> I'm about at my wits end with Google. >>> >>> A couple of weeks ago, we had a user account get compromised. About >>> 11,000 spam emails were sent through the account over a 24 hour period >>> before we caught it and shut it down. >> >> I know it doesn't help your current situation, but I highly suggest you >> setup postfwd with some sending limits, so that this does not happen >> again in the future. >> > > Seconded. Setting sending limits, with a process for expanding the > limit for customers who legitimately need expansion, completely stopped > us being added to RBLs at my former employer. > > The customers who needed more messages per hour/day got a lecture > about keeping their passwords safe and an explanation of the financial > penalties we would exact from them should their account get us RBLed. > > For us, 100/hour 500/day was a sufficient default for 99.99% of our > users. We had maybe 25 clients setup with expanded limits five years > after implementing the policy deamon.
I was hoping that the rate-limiting was enough, but I found that whatever was spamming through the compromised accounts was intelligent. If we let 100/hour through, they’d ratchet down to 50/hour… Just a reminder you need a rate limit and a total. Charles > > We also trolled the log files to count the total number of e-mails > sent per user each day. We got an emailed report hourly. We often > identified compromised accounts before they hit the limits when the > spammer was sneaky enough to slow send. Submitting e-mail from three > continents in an hour is a pretty good indicator of a compromised > account. > > PolicyD meant it was okay if we took some time for sleep or missed the > hourly reports for a weekend. > > -- > Scott Lambert KC5MLE Unix SysAdmin > lamb...@lambertfam.org