ka at pacific.net
Fri Apr 13 05:24:01 IST 2007
Jay Chandler wrote:
> Hugo van der Kooij wrote:
>> You need to block SMTP from anyone but acknowledged and well
>> controlled servers in your network.
> Ya think? :-)
> This has been done. Note that the way this particular instance took
> place was a user had a weak or leaked password, so the spammer came in
> through our webmail gateway. Flow control won't work on that machine,
> as it services hundreds of users. Neither will IP based restrictions.
> The only think I can think of that would have caught this would have
> been measuring the volume-- they're forced to use their own email
> address, so after the first dozen messages, I'd have loved for something
> to have said "Wait a damned second here..."
tail the log, watch the "relay=" and instead of the IP, capture the
"from=" if a message "is spam" from your webmail box and put that into
either an access "From:baduser at here.net Error 450 hold that spam" entry,
or a MailScanner rule that quarantines mail from that user and then
ossec (ossec.net) has 'active response' and might help with automating
this if you want something more robust and faster than a cron job
running a shell script. It's quite good, and it's response is within
seconds, not minutes, but does need some tweaking for your needs.
More information about the MailScanner