* Paolo Supino <[EMAIL PROTECTED]> [2007-04-12 22:12]:
> Hi
>
> I have the following problem: I host a group of windows servers that
> run a webapp using IIS6 ASP technology. The webapp was written and is
> maintained by a small private company that develops custom webapps for
> companies. One of the services the webapp does is send out emails
> (nothing amazing until now). The problem is that the webapp isn't
> written securely. The developers keep saying the webapp is secure and
> isn't the problem. Bringing someone from the outside to prove them wrong
> has failed thus far. Showing logs and showing network access also proved
> futile. the webapp is (ab)used by spammers to relay spam emails which
> caused the webapp's IP address to be added to various spam black lists
> :-( I'm sure it's the ASP is the problem because only HTTP and HTTPS are
> accessible on these servers. The website itself is hidden behind a
> firewall and SMTP port isn't reachable. I'm in the process of replacing
> the current firewall (Microtik's RouterOS, a Linux based OS) with
> OpenBSD and I thought of using spamd to block outgoing spam emails. I've
> started reading about spamd and usage scenarios, but thus far only found
> spamd being used on incoming emails. Did anyone use spamd to block
> outgoing spam emails? Is what I want to do possible (in combination PF)?
> Other solutions will also be appreciated obviously based on OpenBSD :-)
>
While you can use spamd to do this, you do not need to.
What you want to do is make the webapp unattractive to spammers.
Ideally, the webapp should talk to a real mail server to
forward it's outgoing smtp messages, and you can limit messages sent
on the mta right there. Failing that, if it sends crap directrly
out via port 25, simply make it where it can't send out to port 25
very quickly using max-src-conn-rate at an appropriate rate.
But the ideal solution is really to ensure the webapp
does all it's smtp from a specific mail server, which is configured
appropriately for rate limiting, and ensuring an appropritate
source address with no relaying, and then you simply do not allow
the web app machine to make port 25 connections to elsewhere.
-Bob
