OT: how to block emails sent to too many recipients

Mon Dec 20 18:56:49 GMT 2010

Denis Beauchemin wrote:
>> On 12/20/2010 9:42 AM, Denis Beauchemin wrote:
>>>> -----Message d'origine----- De :
>>>> mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>>>>  bounces at lists.mailscanner.info] De la part de Steve Campbell
>>>> Envoyé : 20 décembre 2010 09:24 À : MailScanner discussion
>>>> Objet : Re: OT: how to block emails sent to too many recipients
>>>> 
>>>> 
>>>> Another thought:
>>>> 
>>>> If you can find a common IP from your apache logs, firewall
>>>> that off. If the sending IP is not one of those random IPs, add
>>>> it to your access file. Sometimes, you may need to add a few
>>>> IPs if they're slightly random. If they're truly random and
>>>> spoofed, the access file won't help.
>>>> 
>>>> Steve Campbell
>>> Unfortunately it comes from too many different IPs.
>>> 
>>> The server is used to send big batches of emails (people with
>>> Outlook
>> mailing lists, webmails, etc). That's why it is so difficult to
>> take drastic measures like confMAX_RCPTS_PER_MESSAGE which applies
>> to all users.
>>> All users of our webmail are authenticated. Don't know if some
>>> accounts
>> were broken into or if there is some cookie hijacking going on...
>> I think we patched Horde last week (not my team's responsibility).
>> We're asking the guys that maintain Horde to try to block them at
>> the source: if from is not from our domain and there are more than
>> 25 recipients then reject the message. Hope they can pull it off!
>>> Thanks for your help!
>>> 
>>> Denis
>>> 
>> Do all of your valid "senders" originate from your owned IPs? Or do
>> they send from anyplace? If the prior, block everything in an
>> .htaccess file except your IPs.
>> 
>> Another option is using Mailman for these lists. It takes a little
>> time to set up the list initially, but after that, it's fairly
>> simple to maintain a bunch of these. At that point, you can require
>> the owner of the list to be required to moderate every email that
>> passes through the list. It might help you narrow down where
>> they're coming from, and at the very least, prevent them from going
>> out of your servers.
>> 
>> Steve Campbell
>> 
> 
> THanks Steve,
> 
> I think this is going to help me policy all those users and force
> them to use our Sympa list manager. Very good idea!
> 
> We heard one of our users received a fake over quota email requesting
> that she registered to a web server to be able to continue using her
> account. She did and that's how her account got compromised! We are
> investigating who else might have done the same thing.
> 
> During lunch time we got another attack that I blocked using
> sendmail's access file: from:bad-user at usherbrooke.ca DISCARD. This
> time they used the user's email address instead of a random one. At
> least they don't change the from on every email!

watch the inbound log for an unusual inflow of bounces to one user.

check your deferred Queues. As many sites may greylist your server/s, 
you may detect which sender is being abuse when you see an abnormal 
amount of mails waiting to be delivered with the same sender address.

this may also help detect the abused accounts.

Alex