Notify Admin of User Sending High Volume of Mail

Scott Silva ssilva at sgvwater.com
Mon Sep 22 22:50:23 IST 2008


on 9-22-2008 2:32 PM Josh Kidd spake the following:
> Don’t know if anyone else has attempted to do something like this before 
> or not, I gave a scan to Google and the lists and didn’t see anything. I 
> have MailScanner setup on a FreeBSD7 machine running 
> Postfix+MailScanner(SA,ClamAV)+Mailwatch. We are wanting to find a way 
> that if a user’s computer is infected and starts sending out a large 
> number of emails in a short time frame (ie: 20,30,50 messages in 2-5 
> minutes).
> 
>  
> 
> I assume this would have to be a custom ruleset but being new to 
> MailScanner I don’t know exactly how I would go about creating this 
> rule. Has anyone done something like this or know’s how to? I want 
> MailScanner or Mailwatch to email me if a user’s outbound mail volume 
> exceeds our pre-defined limits so I can shutdown whatever is sending out 
> the large volume of mail to prevent our domain from being blacklisted.
> 
>  
> 
> Thanks in Advance,
> 
> JK
> 
>  
> 
1: Block all users from being able to send smtp directly to the outside world. 
All mail must go through servers under your control. Scan this outgoing mail. 
Never completely trust your users because machines get owned everyday.

2: Set sending limits in postfix. I can't help you here other than knowing 
that it can be done.

3: You need a log runner or other script to look for the entries for too many 
attempts in the logs and mail a warning. Maybe even add an iptables rule for a 
quick stop while you investigate. That way it gets stopped when no one is 
available for intervention.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080922/1d08f4cd/signature.bin


More information about the MailScanner mailing list