My mail filters also do a lot of outbound relaying from hundreds
of customer mail servers. Compromised accounts happen and I
have some methods for detecting most of them and block the
sender at the MTA within a few minutes to prevent my server
IPs from becoming listed on RBLs.
Customer mail servers are currently trusted by IPs on our own
network ranges and have a slight bias toward trust by being in
the trusted_networks. This allows for the proper RBL checks
of the sender IP as long as the customer mail server adds the
proper X-Originating-IP or Received: header of the client.
The goal is to be able to block most outbound spam with the
usual rules, network tests, and Bayesian scores. However,
these compromised accounts often contain zero-hour email
that score low.
A common factor for most of these emails is sending with a
high number of recipients often to FREEMAIL recipients.
Would it make sense for me to setup/manage my own custom
rules for checking the To: header or could the FreeMail plugin
be extended to add new rules like FREEMAIL_TO?
I understand that the To: header is not the same as the
RCPT TO and the MTA will split emails based on destination.
In this situation, the sending MTA is smarthosted to my
relays and these are compromised accounts on legit MTAs
where headers can be considered reliable. I do see patterns
with sorted recipients and multiple FREEMAIL recipients
that I would like to score on. Then I have a database with
this information that I run SQL queries against to determine
frequency of certain rule hits to find compromised accounts
and block them quickly.