With Postfix, you could do this by enforcing client restrictions:<br><a href="http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch" target="_blank">http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch</a><br>
<br><div class="gmail_quote">On 17 August 2012 06:19, Sergio <span dir="ltr"><<a href="mailto:secmas@gmail.com" target="_blank">secmas@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thank you, Dave.<br><br>Actually my server is secure in a lot of aspects, but there is nothing you can do for a weak password.<br><br>Right now my server blocks any IP that is trying to send more than 200 emails in an hour and the IP blocked can be free only after we talk to the customer. If we found that the account was compromised we change the password.<br>
<br>But what I am looking is to not even left 200 emails leave the server when they are sent from a compromised account, we want to go one step ahead.<br><br>By now I have created some MCP rules that delete the emails that the body and/or subject has been used in a compromised account, but I am still looking for something more automatic.<br>
<br>Regards,<br><br>Sergio<br><br><div class="gmail_quote"><div><div>On Thu, Aug 16, 2012 at 3:08 PM, Dave Helton <span dir="ltr"><<a href="mailto:dave@kd0yu.com" target="_blank">dave@kd0yu.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>
<div link="blue" vlink="purple" lang="EN-US"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Patching the symptoms will not fix the cause.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">You might call the user if you're a small provider and provide a way for them to change their password.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Disable the account login/email and wait for the user to call if there are too many.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Chances are their email accounts are not the only thing compromised... I'd want to know.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">While this may seem like a drastic measure, do what you have to do before your IP's make it to the blacklists.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If you have a spammer using an email account, chances are their spam messages are all the same.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Learn SpamAssassin rules, start writing a few of them.<u></u><u></u></span></p><p class="MsoNormal">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I could go on... but, the bottom line is you are responsible for these servers. Don't be afraid to pull some<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">strings to protect what's yours.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">--Dave Helton, KD0YU<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt"><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a> [mailto:<a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a>] <b>On Behalf Of </b>Sergio<br>
<b>Sent:</b> Thursday, August 16, 2012 3:20 PM<br><b>To:</b> MailScanner discussion<br><b>Subject:</b> Re: How to block emails that FROM doesn't belongs to server domain list<u></u><u></u></span></p></div></div><div>
<div>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal" style="margin-bottom:12.0pt">Thank all for your inputs.<br><br>What happens is this:<br>My server is not Open Relayed and it has SPF and DOMAINKEYS in it and that is working great. The problem is when a hacker has obtained the password from an account, so, it can send emails authenticating with the account that has been compromised. When a hacker has access to an account (I am almost sure that any one on the list has seen this), he sends emails but the FROM is changed to something that is not a domain on the server, that is what I am looking to stop.<br>
<br>Maybe a rule that could check that the FROM is not the same as the authenticated domain.<br><br>Could this be done?<br><br>Best Regards,<br><br>Sergio<br><br><u></u><u></u></p></div></div><p><span style="color:darkblue">___________________________________________________________________ <br>
</span><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:darkblue">This message has been scanned for viruses and dangerous content by <a href="http://www.mailscanner.info/" target="_blank"><b>MailScanner</b></a> <br>
running on mail server <a href="http://www.kd0yu.com/" target="_blank"><b>KD0YU.COM</b></a>, and is believed to be clean.</span><span style="color:darkblue"> <u></u><u></u></span></p></div></div><p style="color:darkblue">
___________________________________________________________________
<br><font face="verdana" size="1">This message has been scanned for viruses and dangerous content by
<a href="http://www.mailscanner.info/" target="_blank"><b>MailScanner</b></a>
<br>running on mail server <a href="http://www.kd0yu.com/%22" target="_blank"><b>KD0YU.COM</b></a>, and is
believed to be clean.</font>
</p></div>
<br></div></div><div>--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
<br></div></blockquote></div><br>
<br>--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
<br></blockquote></div><br>