This is definitely a common problem with no simple solution. As it stands right now, spamdyke could help solve this but not alone... probably the simplest solution would be to create a wrapper for the authentication command used by spamdyke and qmail. If that command were to keep a log of successful authentications, it could enforce a rate limit of X messages per Y minutes and deny authentication attempts after the rate is exceeded. There's no reason it shouldn't be able to send you an alert at the same time.
spamdyke and qmail both look for the return codes on the external authentication scripts. Your wrapper would just need to run the real authentication command, check its return code to see if it succeeded, then check the rate limit. If the rate limit is exceeded, return a failure code. Otherwise, return the real return code. spamdyke would handle the rest by rejecting the remaining messages. It would be cool to add this kind of feature to spamdyke in the future but there are some other changes that would need to take place first (most importantly spamdyke would need to run as a daemon), so it's probably quite a ways off. -- Sam Clippinger On Nov 15, 2013, at 11:28 AM, Denny Jones wrote: > Hello all, > > I have this intermittent issue... > > I host many clients and every once in a while one of my users will get a > virus and start spewing out spam emails. I came in this morning and found one > had sent over 3000 in just an hour. I have scripts in place that alert me > about this so I'm able to catch it but I want to catch it sooner - perhaps > auto-stop it. > > NOTE: These are authenticated users who's email programs have been hi-jacked > and are sending with valid logins. > > My setup is QmailToaster Plus, SpamDyke, SpamAssassin, Fail2Ban, ClamV - all > with the latest versions. > > I am curious about how other admins handle this situation? Surely I'm not the > only one being bitten by this. > > FYI - I ran this on the Qmail list and it was suggested that I might run this > by the SpamDyke list as well. > > Thanks in advance, > Denny _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
