OT: how to block emails sent to too many recipients

Steve Campbell campbell at cnpapers.com
Mon Dec 20 19:43:15 GMT 2010



On 12/20/2010 1:41 PM, Denis Beauchemin wrote:
>> On 12/20/2010 9:42 AM, Denis Beauchemin wrote:
>>>> -----Message d'origine-----
>>>> De : mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>>>> bounces at lists.mailscanner.info] De la part de Steve Campbell Envoyé :
>>>> 20 décembre 2010 09:24 À : MailScanner discussion Objet : Re: OT: how
>>>> to block emails sent to too many recipients
>>>>
>>>> Another thought:
>>>>
>>>> If you can find a common IP from your apache logs, firewall that off.
>>>> If the sending IP is not one of those random IPs, add it to your access file.
>>>> Sometimes, you may need to add a few IPs if they're slightly random.
>>>> If they're truly random and spoofed, the access file won't help.
>>>>
>>>> Steve Campbell
>>> Unfortunately it comes from too many different IPs.
>>>
>>> The server is used to send big batches of emails (people with Outlook
>> mailing lists, webmails, etc). That's why it is so difficult to take drastic
>> measures like confMAX_RCPTS_PER_MESSAGE which applies to all users.
>>> All users of our webmail are authenticated. Don't know if some accounts
>> were broken into or if there is some cookie hijacking going on...  I think we
>> patched Horde last week (not my team's responsibility). We're asking the
>> guys that maintain Horde to try to block them at the source: if from is not
>> from our domain and there are more than 25 recipients then reject the
>> message. Hope they can pull it off!
>>> Thanks for your help!
>>>
>>> Denis
>>>
>> Do all of your valid "senders" originate from your owned IPs? Or do they
>> send from anyplace? If the prior, block everything in an .htaccess file except
>> your IPs.
>>
>> Another option is using Mailman for these lists. It takes a little time to set up
>> the list initially, but after that, it's fairly simple to maintain a bunch of these.
>> At that point, you can require the owner of the list to be required to
>> moderate every email that passes through the list. It might help you narrow
>> down where they're coming from, and at the very least, prevent them from
>> going out of your servers.
>>
>> Steve Campbell
>>
> THanks Steve,
>
> I think this is going to help me policy all those users and force them to use our Sympa list manager. Very good idea!
>
> We heard one of our users received a fake over quota email requesting that she registered to a web server to be able to continue using her account. She did and that's how her account got compromised! We are investigating who else might have done the same thing.
>
> During lunch time we got another attack that I blocked using sendmail's access file: from:bad-user at usherbrooke.ca DISCARD. This time they used the user's email address instead of a random one. At least they don't change the from on every email!
>
> Denis
>
And I just received one of those over-quota emails myself.  Looks like a 
new batch of crap is on it's way. This one arrived from 208.9.6.197 and 
a domain called sunh.com, but I believe it's a Sprint IP.

steve



More information about the MailScanner mailing list