I am trying to implement an anti-phishing strategy and was hoping some of you could point me in the right direction. I want to keep track of how many recipients a user sends mail to on a 24-hour basis. When a given threshold is met, that user's email would then go into quarantine until an admin releases it. Thing is, I'm not sure where to begin...
Breaking this down into bite-size chunks I see the following ahead of me: 1. Track the number of recipients that are sent mail on a 24-hour per-user basis. 2. If the number of outgoing email transmissions for a user crosses the preset threshold, add a header to the email. 3. If the header is seen, quarantine the message. 4. Notify an admin 5. Allow an admin to delete or release the quarantined emails. I'm starting into number 1 for now but am at a loss at the moment. My thought would be to update a MySQL table with the recipient count found in each message. How to do this escapes me. I am aware that SpamAssassin can't perform all of these tasks. My understanding is that amavisd will handle the ones SA can't. If anyone could help with any part of this, I would greatly appreciate it. Regards, Ryan
