limiting damage done by a compromised account

Mon Jan 24 18:02:56 GMT 2011

Sean,

take a look at rate-limiting by Anthony Howe of Snertsoft. I quote below from:

http://www.snertsoft.com/sendmail/milter-limit/

This Sendmail mail filter aims to limit the number of messages by connecting client IP, sender, or recipient. Its intended to be a utility milter to control the flow of mail. It could be used on the outbound side like Hotmail's daily message limits to limit local user's consumption (particularly if they appear to be infected by a mass mailing worm); it could be used inbound as an alternative to grey-listing. It could be enabled and disabled as needed during periods of peak Internet activity such as during a virus outbreak or spam holiday season.

It’s free.

Our commercial products BarricadeMX and BarricadeMX Plus include a rate-limiting milter-limit feature and : 

----------------------

smtp-strict-relay: (on or off)

Only allow outbound messages from our specified relays and where the sender is from one of the domains we route email from.
----------------------

rate-throttle=(no of seconds, default = 30)

# Overall client connections per second allowed before imposing a
# one second delay. Specify zero (0) to disable.
----------------------

Concurrent-Connect:ip
Concurrent-Connect:domain

This is used to specify the maximum number of concurrent connections an SMTP client is permitted at any one time. Specify an integer or zero (0) to disable. The bare tag can be used to specify a global setting. If an SMTP client exceeds the allotted number of connections, then the incoming connection is dropped, while existing connections continue.
----------------------

Msg-Limit-Connect:ip
Msg-Limit-Connect:domain
Msg-Limit-From:mail
Msg-Limit-To:mail

Used to limit the number of messages a SMTP client, sender, or recipient can send/receive in a given time period. A message limit is given as:
messages '/' time [unit]

which is the number of messages per time interval. The time unit specifier can be one of week, day, hour, minute, or seconds (note only the first letter is significant). A negative number for messages will disable any limit.
----------------------

Please contact me off list if you need more information.

Steve
-- 
Steve Swaney
steve at fsl.com
202 595-7760 ext: 601
www.fsl.com
The most accurate and cost effective anti-spam solutions available

On Jan 24, 2011, at 12:58 PM, Jason Ede wrote:

> Assuming you have some form of authentication for outgoing is that you can limit the from address for emails to that of the account. Also what about some form of rate limiting with alerting plugged in?
>  
>  
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Sean M. Schipper
> Sent: 24 January 2011 16:42
> To: mailscanner at lists.mailscanner.info
> Subject: limiting damage done by a compromised account
>  
> Hi,
> I use Mailscanner ( v4.79 on RH Linux with spamassassin & Clam) in front of Exchange 2010.  Occasionally at our university we’ll have a student email in their login credentials in response to phishing email that got thru.   We don’t scan outgoing messages since I don’t want to block outgoing emails except for this situation.  I’m looking for advice on what to do to protect us from being a source of spam.   We currently have a poor reputation on from senderbase which I’ve been unable to correct – any ideas on anything I can do to speed up this process would be welcome as well.
>  
> Thanks,
> Sean
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 