Feature Request
Ken Anderson
ka at pacific.net
Fri Apr 13 05:24:01 IST 2007
Jay Chandler wrote:
> Hugo van der Kooij wrote:
>> You need to block SMTP from anyone but acknowledged and well
>> controlled servers in your network.
> Ya think? :-)
>
> This has been done. Note that the way this particular instance took
> place was a user had a weak or leaked password, so the spammer came in
> through our webmail gateway. Flow control won't work on that machine,
> as it services hundreds of users. Neither will IP based restrictions.
> The only think I can think of that would have caught this would have
> been measuring the volume-- they're forced to use their own email
> address, so after the first dozen messages, I'd have loved for something
> to have said "Wait a damned second here..."
>
tail the log, watch the "relay=" and instead of the IP, capture the
"from=" if a message "is spam" from your webmail box and put that into
either an access "From:baduser at here.net Error 450 hold that spam" entry,
or a MailScanner rule that quarantines mail from that user and then
reloads MailScanner.
ossec (ossec.net) has 'active response' and might help with automating
this if you want something more robust and faster than a cron job
running a shell script. It's quite good, and it's response is within
seconds, not minutes, but does need some tweaking for your needs.
Ken Anderson
Pacific.Net
More information about the MailScanner
mailing list