Force a sender's email to quarantine?

[Kelly, James]

We have a very similar script watching our outbound mail logs. To
"quarantine" the suspect outbound mail we use the script itself (perl,
in our case) to add the suspect messages' from address with a redirect
action into the postfix sender_restrictions table on the gateway(s) and
then regenerate the .db.

from at large.chinese.isp     REDIRECT quarantine-acct at ourdomain.tld

If the spammer changes the from, the script notices and adds the new
from(s) also.

We use scripts to resend the messages in the quarantine account with the
original from/to if they turn out to be false positives.

Thanks,
James
__

James Kelly
Network Administrator
IS&T Network Operations
Chapman University
Phone: 714-744-7833
Email: jakelly at chapman.edu
---
CHAPMAN UNIVERSITY WILL NEVER ASK FOR YOUR PASSWORD!
DO NOT SHARE YOUR PASSWORD WITH OTHERS!
If you wish to modify your Chapman email address account information:
Use the account management web page at
https://web.chapman.edu/accountmanagement/,
Call the Chapman University helpdesk at (714) 997-6600, or
Contact helpdesk at chapman.edu.

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Robert
Lopez
Sent: Wednesday, January 20, 2010 10:03 AM
To: MailScanner discussion
Subject: Force a sender's email to quarantine?

[In gmane I see this subject question has been asked, but I saw no
answer.]

We have an application that helps us shut down SPAM email being sent
out from a compromised account.
(Invariably compromised after the account owner replied to some phishing
email.)
The application tails the maillog and keeps data to detect when any
individual account starts to send a lot of email.
Right now the action is to send a page to our team.
We then access the gateway that sent the page and make a guess if it
could be legitimate or really a spammer.

We would like to change the application to put all of the email from
the identified account into a quarantine file.
Using postfix and MailScanner, we might have opportunities to use either
tool.

Due to MailScanner using the postfix hold que to pass email to
MailScanner, I do not think we have the possibility of having postfix
put the selected email on hold.

I am looking for a way to use MailScanner to quarantine all the user's
email (whole message) as queue files.

Any suggestions as to which MailScanner features could be used to do
this?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!