How to block emails that FROM doesn't belongs to server domain list

Sergio secmas at gmail.com
Fri Aug 17 05:19:16 IST 2012


Thank you, Dave.

Actually my server is secure in a lot of aspects, but there is nothing you
can do for a weak password.

Right now my server blocks any IP that is trying to send more than 200
emails in an hour and the IP blocked can be free only after we talk to the
customer. If we found that the account was compromised we change the
password.

But what I am looking is to not even left 200 emails leave  the server when
they are sent from a compromised account, we want to go one step ahead.

By now I have created some MCP rules that delete the emails that the body
and/or subject has been used in a compromised account, but I am still
looking for something more automatic.

Regards,

Sergio

On Thu, Aug 16, 2012 at 3:08 PM, Dave Helton <dave at kd0yu.com> wrote:

> Patching the symptoms will not fix the cause.****
>
> ** **
>
> You might call the user if you're a small provider and provide a way for
> them to change their password.****
>
> Disable the account login/email and wait for the user to call if there are
> too many.****
>
> Chances are their email accounts are not the only thing compromised... I'd
> want to know.****
>
> ** **
>
> While this may seem like a drastic measure, do what you have to do before
> your IP's make it to the blacklists.****
>
> ** **
>
> If you have a spammer using an email account, chances are their spam
> messages are all the same.****
>
> Learn SpamAssassin rules, start writing a few of them.****
>
> ** **
>
> I could go on... but, the bottom line is you are responsible for these
> servers.  Don't be afraid to pull some****
>
> strings to protect what's yours.****
>
> ** **
>
> --Dave Helton, KD0YU****
>
> ** **
>
> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Sergio
> *Sent:* Thursday, August 16, 2012 3:20 PM
> *To:* MailScanner discussion
> *Subject:* Re: How to block emails that FROM doesn't belongs to server
> domain list****
>
> ** **
>
> Thank all for your inputs.
>
> What happens is this:
> My server is not Open Relayed and it has SPF and DOMAINKEYS in it and that
> is working great. The problem is when a hacker has obtained the password
> from an account, so, it can send emails authenticating with the account
> that has been compromised. When a hacker has access to an account (I am
> almost sure that any one on the list has seen this), he sends emails but
> the FROM is changed to something that is not a domain on the server, that
> is what I am looking to stop.
>
> Maybe a rule that could check that the FROM is not the same as the
> authenticated domain.
>
> Could this be done?
>
> Best Regards,
>
> Sergio
>
> ****
>
> ___________________________________________________________________
> This message has been scanned for viruses and dangerous content by *
> MailScanner* <http://www.mailscanner.info/>
> running on mail server *KD0YU.COM* <http://www.kd0yu.com/>, and is
> believed to be clean. ****
>
> ___________________________________________________________________
> This message has been scanned for viruses and dangerous content by *
> MailScanner* <http://www.mailscanner.info/>
> running on mail server *KD0YU.COM* <http://www.kd0yu.com/%22>, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120816/0c682285/attachment.html 


More information about the MailScanner mailing list