On 04/04/2011 06:49 PM, Bailey, Damian S. wrote:
Good afternoon!
Our school district has been using a Postfix/Amavis/SpamAssassin
config for over a year now with good results. Just recently, however,
I've noticed that my mail filtering box has been hit by a spammer that
uses a handful of email addresses to send mail to all legitimate
senders in our domain. This caused my filter to queue up mail into
the 1700+ range, effectively delaying mail delivery.
We already reject mail going to undeliverable recipients by querying
LDAP via a perl script.
Urk ? You do realize that postfix has built-in LDAP support, yes ?
Granted, all the mail in question was dumped as spam, but it still
caused mail to be delayed. Is there a way in Postfix that I can flag
or alert if a certain sender is attempting to send more than X emails
in a certain time?
You can block them from doing that; read this part of the TUNING README:
http://www.postfix.org/TUNING_README.html#conn_limit
At this point I am not allowed to turn on "check for legitimate
senders" to block mail from falsified email addresses, for fear of
lost legitimate email from poorly-configured mail servers and DNS records.
For instance, say we have 500 employees with email accounts. If I
have a single sender that sends to more than 200 of them, I would want
to review it as a possible spamming attack.
Has anyone run into this?
How much of a problem $random_spam is heavily dependent on the
preventative measures in place, and where you use them.
Proper DNS blacklisting and HELO checks go a long way to keeping your
connections away from expensive spamassassin processes, and tying up
legitimate SMTP connections.
If you're using postfix 2.8, look into postscreen(8) for a very
effective way to cut down on the chatter from spammers.
--
J.
