Feature Request

Michael Mansour micoots at yahoo.com
Fri Apr 13 12:28:48 IST 2007


Hi,

Ken Anderson <ka at pacific.net> wrote: Jay Chandler wrote:
> Hugo van der Kooij wrote:
>> You need to block SMTP from anyone but acknowledged and well 
>> controlled servers in your network.
> Ya think? :-)
> 
> This has been done.  Note that the way this particular instance took 
> place was a user had a weak or leaked password, so the spammer came in 
> through our webmail gateway.  Flow control won't work on that machine, 
> as it services hundreds of users.  Neither will IP based restrictions.  
> The only think I can think of that would have caught this would have 
> been measuring the volume-- they're forced to use their own email 
> address, so after the first dozen messages, I'd have loved for something 
> to have said "Wait a damned second here..."
This is exactly what you can dowith sendmail (if you're using it).

Look here:

http://www.technoids.org/dossed.html

for how you can rate throttle and protect your SMTP from attacks from spammers.

Michael.
tail the log, watch the "relay=" and instead of the IP, capture the 
"from=" if a message "is spam" from your webmail box and put that into 
either an access "From:baduser at here.net Error 450 hold that spam" entry, 
or a MailScanner rule that quarantines mail from that user and then 
reloads MailScanner.

ossec (ossec.net) has 'active response' and might help with automating 
this if you want something more robust and faster than a cron job 
running a shell script. It's quite good, and it's response is within 
seconds, not minutes, but does need some tweaking for your needs.

Ken Anderson
Pacific.Net

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


 Send instant messages to your online friends http://au.messenger.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070413/876838e9/attachment.html


More information about the MailScanner mailing list