Feature Request

Ken Anderson ka at pacific.net
Fri Apr 13 05:24:01 IST 2007


Jay Chandler wrote:
> Hugo van der Kooij wrote:
>> You need to block SMTP from anyone but acknowledged and well 
>> controlled servers in your network.
> Ya think? :-)
> 
> This has been done.  Note that the way this particular instance took 
> place was a user had a weak or leaked password, so the spammer came in 
> through our webmail gateway.  Flow control won't work on that machine, 
> as it services hundreds of users.  Neither will IP based restrictions.  
> The only think I can think of that would have caught this would have 
> been measuring the volume-- they're forced to use their own email 
> address, so after the first dozen messages, I'd have loved for something 
> to have said "Wait a damned second here..."
> 

tail the log, watch the "relay=" and instead of the IP, capture the 
"from=" if a message "is spam" from your webmail box and put that into 
either an access "From:baduser at here.net Error 450 hold that spam" entry, 
or a MailScanner rule that quarantines mail from that user and then 
reloads MailScanner.

ossec (ossec.net) has 'active response' and might help with automating 
this if you want something more robust and faster than a cron job 
running a shell script. It's quite good, and it's response is within 
seconds, not minutes, but does need some tweaking for your needs.

Ken Anderson
Pacific.Net



More information about the MailScanner mailing list