limiting damage done by a compromised account

[John Baker]

I have also been struggling with this over the last year and have 
several pieces cobbled together. A key piece for me is that we use 
policyd greylisting and it has rate limiting as well. I believe that you 
can use rate limiting without greylisting. If you use SASL 
authentication for all mail you should be able to solve the problem with 
this. But if you don't or can't use SASL there are a few holes in it 
because you have to use envelope sender or ip instead and that can be 
fairly easily circumvented.

MailScanner can help a lot with catching phishing attempts before they 
get to students as well. Scamnailer http://www.scamnailer.info/ tags 
almost all of them to begin with. I use MailScanners spam action rules 
with "attachment" to trigger a warning whenever something looks 
particularly suspiciously like a phishing attempt but isn't getting 
marked as spam. To trigger it I use ScamNailer, custom rules based on 
the attempts we have had, and a few RBL's.

If you can let me know what you come up with. I'm still trying to 
perfect my system and am looking for more ideas.

Sean M. Schipper wrote:
> Hi,
> I use Mailscanner ( v4.79 on RH Linux with spamassassin & Clam) in front of Exchange 2010.  Occasionally at our university we'll have a student email in their login credentials in response to phishing email that got thru.   We don't scan outgoing messages since I don't want to block outgoing emails except for this situation.  I'm looking for advice on what to do to protect us from being a source of spam.   We currently have a poor reputation on from senderbase which I've been unable to correct - any ideas on anything I can do to speed up this process would be welcome as well.
>
> Thanks,
> Sean
>
>   


-- 
John Baker
Network Systems Administrator
Marlboro College
Phone: 451-7551 Cell: 451-6748