On 04/16/2013 04:45 AM, CSS wrote:
I'm curious what other people are doing to deal with this…We have policyd running on our smtp relay hosts that customers use. We get an alert when any username sends more than X messages in an hour and deal with it on a case by case basis. For some time, this has worked well. We've had a few cases where the end user's pc is part of a botnet and sending directly, but most of the time it's foreign IPs that have either brute-forced or stolen the user's credentials (presumably by phishing). In the past month or so though, I've been seeing more and more instances where I get no alerts, and then a few feedback loop reports. If I look at the policyd stats, I'll see some user sitting just below the alert threshold has been sending crap out for hours. I'm not seeing any obvious solution here… Any suggestions?
Daily and monthly limits may be an option too. A normal home user for instance shouldn't be sending out 10,000 mails a day.
You could also watch delivery to freemail providers and the from address being used. Obviously outbound mailscanning too. A couple scripts should be able to do it.
-N
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
