Hey Sam. As I see it, this problem is on the outbound side of things, so I wouldn't look for spamdyke to be able to much of anything that's very effective.
As I mentioned on the QMT list, the best solution I've seen to this problem is what gmane.org does, namely throttles the outbound messages per account. I'm hoping to patch qmail-remote some day to provide a similar throttle. qmail-remote would wait N seconds between sends for any particular user/domain/host. While spam would back up in the QMT queue, I think this would be a good solution. The administrator could then take appropriate measures. I've made some notes on how this might work. gmane.org is open source too, so I intend to have a look at their code to see how they're doing it. Any ideas re how you might implement this easily? TIA. -- -Eric 'shubes' On 11/18/2013 03:25 PM, Sam Clippinger wrote: > This is definitely a common problem with no simple solution. As it > stands right now, spamdyke could help solve this but not alone... > probably the simplest solution would be to create a wrapper for the > authentication command used by spamdyke and qmail. If that command were > to keep a log of successful authentications, it could enforce a rate > limit of X messages per Y minutes and deny authentication attempts after > the rate is exceeded. There's no reason it shouldn't be able to send > you an alert at the same time. > > spamdyke and qmail both look for the return codes on the external > authentication scripts. Your wrapper would just need to run the real > authentication command, check its return code to see if it succeeded, > then check the rate limit. If the rate limit is exceeded, return a > failure code. Otherwise, return the real return code. spamdyke would > handle the rest by rejecting the remaining messages. > > It would be cool to add this kind of feature to spamdyke in the future > but there are some other changes that would need to take place first > (most importantly spamdyke would need to run as a daemon), so it's > probably quite a ways off. > > -- Sam Clippinger > > > > > On Nov 15, 2013, at 11:28 AM, Denny Jones wrote: > >> Hello all, >> >> I have this intermittent issue... >> >> I host many clients and every once in a while one of my users will get >> a virus and start spewing out spam emails. I came in this morning and >> found one had sent over 3000 in just an hour. I have scripts in place >> that alert me about this so I'm able to catch it but I want to catch >> it sooner - perhaps auto-stop it. >> >> NOTE: These are authenticated users who's email programs have been >> hi-jacked and are sending with valid logins. >> >> My setup is QmailToaster Plus, SpamDyke, SpamAssassin, Fail2Ban, >> ClamV - all with the latest versions. >> >> I am curious about how other admins handle this situation? Surely I'm >> not the only one being bitten by this. >> >> FYI - I ran this on the Qmail list and it was suggested that I might >> run this by the SpamDyke list as well. >> >> Thanks in advance, >> Denny _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> <mailto:[email protected]> >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
