Notify Admin of User Sending High Volume of Mail

Josh Kidd jkidd at afflink.com
Tue Sep 23 20:50:11 IST 2008


I have the 1st one done, all of my mail is going through this Postfix gateway and being scanned by MailScanner. What I have to have is something that will fit into the process to stop a users computer from sending out spam if it's infected. Would the Postfix anvil(8) daemon work here with the smtpd_client_message_rate_limit setting to control how many message delivery requests are allowed within the anvil_rate_time_unit? 

I've been playing around with this but don't know how to implement it correctly I think since it doesn't seem to be working. I've added these lines to my Postfix main.cf. The numbers are low just as a test to get some results without having to spam my test relay. Any idea on how to implement the Anvil and Smtpd rate limits? 

anvil_rate_time_unit = 60s
anvil_status_update_time = 30s
smtpd_client_message_rate_limit = 10

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott Silva
Sent: Monday, September 22, 2008 4:50 PM
To: mailscanner at lists.mailscanner.info
Subject: Re: Notify Admin of User Sending High Volume of Mail

on 9-22-2008 2:32 PM Josh Kidd spake the following:
> Don’t know if anyone else has attempted to do something like this 
> before or not, I gave a scan to Google and the lists and didn’t see 
> anything. I have MailScanner setup on a FreeBSD7 machine running
> Postfix+MailScanner(SA,ClamAV)+Mailwatch. We are wanting to find a way
> that if a user’s computer is infected and starts sending out a large 
> number of emails in a short time frame (ie: 20,30,50 messages in 2-5 
> minutes).
> 
>  
> 
> I assume this would have to be a custom ruleset but being new to 
> MailScanner I don’t know exactly how I would go about creating this 
> rule. Has anyone done something like this or know’s how to? I want 
> MailScanner or Mailwatch to email me if a user’s outbound mail volume 
> exceeds our pre-defined limits so I can shutdown whatever is sending 
> out the large volume of mail to prevent our domain from being blacklisted.
> 
>  
> 
> Thanks in Advance,
> 
> JK
> 
>  
> 
1: Block all users from being able to send smtp directly to the outside world. 
All mail must go through servers under your control. Scan this outgoing mail. 
Never completely trust your users because machines get owned everyday.

2: Set sending limits in postfix. I can't help you here other than knowing that it can be done.

3: You need a log runner or other script to look for the entries for too many attempts in the logs and mail a warning. Maybe even add an iptables rule for a quick stop while you investigate. That way it gets stopped when no one is available for intervention.

--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!



More information about the MailScanner mailing list