>At many Universities there is a continual problem with accounts being phished >and used to send spam. We have a number of measures that catch stolen >accounts but they take a little bit of time to block outgoing email. > >Ideally I'd like to hold email to either a new address or a new >address,sender,sender ip triplet like greylisting uses. Even holding for a >minute would give us enough time to lock the account and remove all incentives >to phish our accounts (I hope). > >Is anyone aware of of a greylisting type policy server that can use a >specific header, containing the sender ip, or one that just uses the >destination address? >
We solved our cracked passwords with sender rate limiting. I looked back 30 days of maillogs, and harvested all the legit senders who send large volumes, and "whitelisted" them from below. I used postfwd rate limiting to HOLD on our outbound gateway any other senders that send more that x msgs in y minutes. Monit emails me with the HOLD (which should always be empty) gets 10 items. We delete the HOLDed crap, and add new legit volume senders to the whitelist and release their msgs from HOLD queue. So with a password crack, we end up with 150K msgs in our outbound HOLD queue, rather than sending out 150K of garbage. Len
