On Tue, 2010-03-16 at 15:40 +0100, Vegard Svanberg wrote: > Hi, > > we are trying to mitigate the impact of having infected users, brute > force hacked webmail accounts etc. sending (larging amounts of) outbound > spam. > > The best idea we've come up with so far is to perform outbound spam > filtering following these rules (it's a bit more complicated than this, > but this is the big picture): > > - Spam scoring (Spamassassin). If spam: > - Put the mail on hold > - Add an iptables rule rejecting the IP > - Notify postmaster/abuse >
Also, * Implement ratelimits both inside postfix and in webmail * Have strong password policies * Sign up for Feedback loops and monitor the feedback address closely * In webmail write scripts to alert you if someone adds a large multiline signature We tried blocking outbound spam using a commercial scanner but the FP's are far too many to be used in production. So we just alert a human on these spams and manually intervene if account needs to be blocked. Ofcourse some spams do get through by the time :-(
