On Wed, 2019-05-08 at 16:45 +0000, Stefan Bauer via mailop wrote: > we have in place: > > only allow pre-defined sender-addresses after auth > monitor mail-queues for high connection count > monitor RBLs if we're listed > only allow single mail / 5s to be sent outgoing > anti-virus checking of attachments
Hi Stefan, off the top of my head I would add: * Monitor abuse@ and make sure that this address a) exists for your client domains and b) you receive a copy of messages sent to them. * Restrict access to the submission port to either the client IP range. * Lock accounts after X failed logins and get an alert about that. * Have a third (failover/fallback) sending capability with a different data centre. Periodically route enough email though that to ensure that it will not be throttled in case you need it. But, don't use it as a primary. * Understand what your normal usage profile looks like - graph the mail queues. This will help you build policies / tech. around detecting unusual behaviour. E.g. tougher throttling outside of business hours etc. * Add a custom header (X-abuse) to make it clear where the email came from and how to report abuse of your service. * Make it clear on your website how a non-customer can contact you to report abuse. * Run a cut-down spam filter on the outbound mails (look for stuff like freemail reply to addresses, fuzzy checksum hits, spam URLs). Some of that will be false positives so just put it into a holding queue and create a service desk ticket for it to be reviewed. * Have a clear upgrade path if case they wish to send marketing emails. If you don't, they will just try to send them through your platform. * Publish an Acceptable Use Policy (AUP) and make them agree to it as a pre-condition to using your service. Spamhaus have a good template to start from on their website. * Monitor bounces and tie that it with your monitor solution. * Monitor the health of your clients connecting IPs (and possibly website). Any indication of a compromised site is grounds for locking the account until a human can review. There is likely more, above is, as I said, off the top of my head. Good luck. Ken. _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
