Re: Filtering outbound mail

2017-02-17 Thread @lbutlr 
On 2017-02-17 (14:51 MST), David Jones  wrote:
> 
>> From: @lbutlr 
> .Sent: Friday, February 17, 2017 3:41 PM
>> To: users@spamassassin.apache.org
>> Subject: Re: Filtering outbound mail
> 
>> On 2017-02-16 (07:21 MST), David Jones  wrote:
>>> 
 From: Christian Grunfeld 
 Sent: Thursday, February 16, 2017 7:50 AM
 To: Spamassassin List
 Subject: Re: Filtering outbound mail
 
 Are you using postfix as MTA? I use cluebringer suite which
 has a lot of functionality (spf checks, helo checks, greylist
 and quotas)
>>> 
>>> I am using Postfix and cluebringer does looks pretty slick
>>> so I will check into that.
>>> 
 Quotas are fully configurable by tracking inbound and
 outbound trafic by ip, sasl user, etc
>>> 
>>> These outbound senders are my own internal customers
>>> smarthosting through my mail relays so I can't do things
>>> like rate limiting, greylisting, SPF checks, HELO checks,
>>> etc. on them like I do for Internet inbound mail.
> 
>> Oh yes you can, and yes you should. At the very least a
>> sane rate-limit will catch instances where customers get
>> compromised.
> 
> Not all compromised accounts these days blast out at a
> high rate like we used to see years ago.  I have had a few
> sneaky ones recently trickle spam through to stay below
> the radar so rate-limiting is not the answer with outbound
> mail

I never said it was THE answer, but it most certainly is AN answer.


-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Filtering outbound mail

2017-02-17 Thread Alex 
Hi,

>> I am using Postfix and cluebringer does looks pretty slick
>> so I will check into that.

Is that policyD?

http://wiki.policyd.org/start

It looks helpful, but hasn't had any development in at least two years.

Thanks,
Alex

Re: Filtering outbound mail

2017-02-17 Thread Antony Stone 
On Friday 17 Feb 2017 at 21:51, David Jones wrote:

> Not all compromised accounts these days blast out at a high rate like we
> used to see years ago.

True, but also, some still do.

> I have had a few sneaky ones recently trickle spam through to stay below
> the radar so rate-limiting is not the answer with outbound mail

It may not be *the* answer, but it's a good (and simple) addition as _part_ of 
the answer.

> I was able to build a SQL query to catch the slow sending compromised
> accounts.  So far it looks reliable with a sane threshold.  Just waiting for
> another compromised account to see it trigger a block.

Keep us updated.

For some folks, though, a simple solution which helps with the worst offenders 
(as far as spam volume, and network bandwidth, are concerned) is worth more 
than effort of creating a more complicated filter.


Antony.

-- 
Salad is what food eats.

   Please reply to the list;
 please *don't* CC me.

Re: Filtering outbound mail

2017-02-17 Thread David Jones 
>From: @lbutlr 
.Sent: Friday, February 17, 2017 3:41 PM
>To: users@spamassassin.apache.org
>Subject: Re: Filtering outbound mail
    
>On 2017-02-16 (07:21 MST), David Jones  wrote:
>> 
>>> From: Christian Grunfeld 
>>> Sent: Thursday, February 16, 2017 7:50 AM
>>> To: Spamassassin List
>>> Subject: Re: Filtering outbound mail
>>> 
>>> Are you using postfix as MTA? I use cluebringer suite which
>>> has a lot of functionality (spf checks, helo checks, greylist
>>> and quotas)
>> 
>> I am using Postfix and cluebringer does looks pretty slick
>> so I will check into that.
>> 
>>> Quotas are fully configurable by tracking inbound and
>>> outbound trafic by ip, sasl user, etc
>> 
>> These outbound senders are my own internal customers
>> smarthosting through my mail relays so I can't do things
>> like rate limiting, greylisting, SPF checks, HELO checks,
>> etc. on them like I do for Internet inbound mail.

>Oh yes you can, and yes you should. At the very least a
>sane rate-limit will catch instances where customers get
>compromised.

Not all compromised accounts these days blast out at a
high rate like we used to see years ago.  I have had a few
sneaky ones recently trickle spam through to stay below
the radar so rate-limiting is not the answer with outbound
mail

I was able to build a SQL query to catch the slow sending
compromised accounts.  So far it looks reliable with a
sane threshold.  Just waiting for another compromised
account to see it trigger a block.

Dave

Re: Filtering outbound mail

2017-02-17 Thread @lbutlr 
On 2017-02-16 (07:21 MST), David Jones  wrote:
> 
>> From: Christian Grunfeld 
>> Sent: Thursday, February 16, 2017 7:50 AM
>> To: Spamassassin List
>> Subject: Re: Filtering outbound mail
> 
>> Are you using postfix as MTA? I use cluebringer suite which
>> has a lot of functionality (spf checks, helo checks, greylist
>> and quotas)
> 
> I am using Postfix and cluebringer does looks pretty slick
> so I will check into that.
> 
>> Quotas are fully configurable by tracking inbound and
>> outbound trafic by ip, sasl user, etc
> 
> These outbound senders are my own internal customers
> smarthosting through my mail relays so I can't do things
> like rate limiting, greylisting, SPF checks, HELO checks,
> etc. on them like I do for Internet inbound mail.

Oh yes you can, and yes you should. At the very least a sane rate-limit will 
catch instances where customers get compromised.


-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.