On 7/24/2012 2:08 AM, CSS wrote: > Perhaps I'm misunderstanding this, but I was under the impression that the > anvil limits were all enforced on a per-connection or per-IP limit. I'm > really after something that can track a particular sasl-authenticated user > and punish them (and not other users). I'll re-read what I can find on anvil > again, the recommendations against its use in this situation may have been > dated.
It's per client IP. But Postfix logs client IP with or in proximity to the SASL username, so it shouldn't be hard to x-reference the user who starts tripping anvil. But you'll want a log monitor that emails you when anvil trips, so you can disable compromised accounts, not allowing them to continue leaking, hitting traps, getting you blacklisted, etc. >>> Are there any other specific policy daemons I've missed that deal >>> explicitly with rate-limiting? >> >> Probably. But I think you summarily discounted the inbuilt Postfix >> equivalent too quickly, without even looking at it. You can having it >> running in less than 60 seconds. > > Which I may just do in hopes it can provide a base level of protection. -o smtpd_client_connection_rate_limit=10 may be a good starting point. Road warriors can thus blast 10 saved msgs at full throttle, but msg 11 will have to wait until 60s after the first msg. After the 2nd/3rd email notification from your anvil watcher, you'll can be certain you have a compromised account (or a misbehaving user). If you/staff are able to react in 5 minutes, only 50 spams have escaped. Obviously full automation of account disabling along with staff notification would be preferable. Scripting all this shouldn't be too difficult. > I've worked with end users since 1995. You sir are a saint. > They aren't changing. In fact, the facebook-ization of the internet is > bringing us right back to the good old AOL days of walled gardens. Users are > getting less, not more savvy. Percentage wise I'd say savvy-ness is the same. Problem is we have ~100M more internet users (US anyway) than in '95. So yes, total number of dumb users has increased many fold, no argument there. > Funny, as I was speaking to my partner about this issue and he was wondering > why all the spam wars are being fought on the recipient end - so many cpu > cycles and hardware to filter the 20% or so of good mail from the bad. He > could not grasp why the source of the spam could not be legislated away. Heheh. That conversation can't have been as brief as you elude. ;) > I had suspected a guessable password, and I was wrong. This customer > routinely calls in with various issues and the tech that works with them has > the password so he can login to webmail as the customer and verify whatever > oddity they see. It was not the best, but it was random, mixed-case, mixed > numbers and letters. Was it a *unique* password? Probably not... So if it wasn't guessed, how was it obtained? This user sounds like phish target, all the hand holding. >> The user related stuff wins this war. The tech portion merely decreases >> the amount of damage per clueless user battle. > > The war will be lost. That's the spirit! I won't predict the end game, but we can all agree the war against spam will last a long time. Also depends on the definition of 'win'. If we can get down to 1 spam in the inbox per week per worldwide "average" user, I'd call the war 'won'. One per day would be 'winning'. > TimeWarner, Comcast, Verizon and everyone else is not going to either lose > customers by cutting off the ever-infected clueless or spend time (money) > educating them... They lose thousands of customers/day to one another just over pricing specials and promos. They wouldn't care one bit if they shed a few thousand problem users. They're likely losing profit on them anyway due to support calls and technician visits to reset modems and bs like that. Likely less phone costs now that most farm level 1 to India. -- Stan
