Hi Anthony, On 16/01/15 06:23, P.V.Anthony wrote:
> Current problem. > Some users accounts has been compromised (I assume) and sending spam. > The quota feature has been very helpful in limiting the outgoing emails > to 50 emails an hour. Checked the mail queue and noticed many emails > have the "From" not from the users domain. > > Is there a way to prevent sending out emails which are not the same as > the login username? Currently all login username are the full email > address. I had the same problem. What I do is simply limit the number of mails sent per authenticated user. Basically I have the same setup as Simon described some time ago (see attached mail from the list). In addition I have a cron-job that checks if a user is close to the maximum quota and sends me a mail if so. I can then take the according actions, i.e., block the user if its obviously spam. I can provide you the script/query if needed - nothing fancy. best, markus -- Markus Quaritsch E: [email protected] W: www.qwws.net P: +43 650 7997638
--- Begin Message ---Tobia Conforto wrote:I would like to throttle mail based by SASL username, but only if the message was SASL authenticated in the first place.My purpose for doing so is to have a quota in place in case some of my users' accounts get compromised, so that the attackers cannot relay huge amounts of spam before I have a chance to disable the compromised accounts.OK, what you need is a policy with members "$*" which matches all SASL authgenticated messages. Then apply a quota to limit message rate to this policy. You also need to make sure that any other policies don't match - by adding "!$*" to the member list.I've gone one step further and allowed for certain users to be allowed to send more mail - by creating a second policy.So I have :Inbound mail, members !$*,!%internal_ips SASL users, members $*,!%hi-vol-sasl,!%My_Network High volume users, members %hi-vol-sasl My servers, members %My_Network,$*,!%hi-vol-sasl Local mail, mebers %internal_ipsGroups are : My_Network (list of my subnets) internal_ips 127.0.0.1 hi-vol-sasl - list of users given as [email protected]Between these, that gives me mutually exclusive policies which (unless I've got something wrong) will mean that each mail matches exactly one of the policies. My own servers have one limit, users from outside have another, a select few of those get a higher limit, and inbound gets another limit (tracking on "Recipient:user@domain ").And yes, I know what you mean about stopping (or at least limiting) outbound spam. We've had a few instances where a customer has been compromised - on the old server I've had to stop all mail, disable the individual user, put all mail in the queue on hold, and then write a script to go through the mail queue and either delete the mail (if it's spam) or release it. Can't remember numbers, but had message counts well into 6 digits from some of the events - takes all day for the script to grind through them :(-- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
--- End Message ---
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
