Force a sender's email to quarantine?

[Robert Lopez]

[In gmane I see this subject question has been asked, but I saw no answer.]

We have an application that helps us shut down SPAM email being sent
out from a compromised account.
(Invariably compromised after the account owner replied to some phishing email.)
The application tails the maillog and keeps data to detect when any
individual account starts to send a lot of email.
Right now the action is to send a page to our team.
We then access the gateway that sent the page and make a guess if it
could be legitimate or really a spammer.

We would like to change the application to put all of the email from
the identified account into a quarantine file.
Using postfix and MailScanner, we might have opportunities to use either tool.

Due to MailScanner using the postfix hold que to pass email to
MailScanner, I do not think we have the possibility of having postfix
put the selected email on hold.

I am looking for a way to use MailScanner to quarantine all the user's
email (whole message) as queue files.

Any suggestions as to which MailScanner features could be used to do this?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106