We have multiple SMTP servers and multiple policyd servers (all VMs). We had a compromised user sending a high volume of spam this morning from a bunch of different IPs (standard spammer behavior). The user falls under our default policy of 50 messages per 30 minutes, but they were able to send thousands of messages this morning without hitting the limit.
The problem appears to be that cbpolicyd didn't properly track the quota. I see messages in the log that show the quota being incremented and then jumping back to 1 rapidly (all in a second or two). Here's a sample chunk of (redacted) log: Mar 31 00:01:08 policyd4 cbpolicyd[21864]: module=Quotas, mode=update, host=spammerIP, helo=uielmhvvughb, from=baduser@domain, to=spamtarget, reason=quota_update, policy=4, quota=3, limit=4, track=SASLUsername:baduser@domain, counter=MessageCount, quota=5/50 (10.0%) Mar 31 00:01:08 policyd1 cbpolicyd[23286]: module=Quotas, mode=update, host=spammerIP, helo=jrgcletda, from=baduser@domain, to=spamtarget, reason=quota_update, policy=4, quota=3, limit=4, track=SASLUsername:baduser@domain, counter=MessageCount, quota=6/50 (12.0%) Mar 31 00:01:08 policyd3 cbpolicyd[28560]: module=Quotas, mode=update, host=spammerIP, helo=wfilvd, from=baduser@domain, to=spamtarget, reason=quota_update, policy=4, quota=3, limit=4, track=SASLUsername:baduser@domain, counter=MessageCount, quota=7/50 (14.0%) Mar 31 00:01:08 policyd4 cbpolicyd[18386]: module=Quotas, mode=update, host=spammerIP, helo=xxyjwzog, from=baduser@domain, to=spamtarget, reason=quota_update, policy=4, quota=3, limit=4, track=SASLUsername:baduser@domain, counter=MessageCount, quota=8/50 (16.0%) Mar 31 00:01:08 policyd2 cbpolicyd[322]: module=Quotas, mode=update, host=spammerIP, helo=ayrpmo, from=baduser@domain, to=spamtarget, reason=quota_update, policy=4, quota=3, limit=4, track=SASLUsername:baduser@domain, counter=MessageCount, quota=9/50 (18.0%) Mar 31 00:01:08 policyd4 cbpolicyd[21864]: module=Quotas, mode=update, host=spammerIP, helo=cfjlftk, from=baduser@domain, to=spamtarget, reason=quota_update, policy=4, quota=3, limit=4, track=SASLUsername:baduser@domain, counter=MessageCount, quota=1/50 (2.0%) Now, a potential problem is that I found the cbpolicyd on these servers (set up by somebody else) is old: 2.0.10. However, looking through the change logs and code changes since, I don't see anything that looks like it might address a problem like this. I'm going to work on getting it upgraded to 2.0.14, but I decided to go ahead and ask the question since it looks like it could be a new problem. -- Chris Adams <[email protected]> _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
