On Tue, Oct 16, 2012 at 09:15:54AM -0400, Wietse Venema wrote: > Kaleb Hosie: > > We host a mail server which runs Postfix and there has been a > > few times where one of our clients computers becomes infected > > with malware and the password is compromised. > > > > How this has come to my attention is because every once in a > > while, I will login to the mail server and see an unusually > > large mail queue which is all being sent to one domain. > > > > Is it possible to monitor the queue automatically and have it > > send me an alert if the postfix queue reaches over a certain > > threshold? > > To fight symptoms, run a cron job every 10 minutes or so: snip > To throttle clients that send too much mail, see postfwd, > policyd and the like.
+1, you need to be proactive against this kind of thing. In addition to client rate limiting, you should use content filtering of your submission stream. The vast majority of such ratware will have URIBL-listed content in the spew, so SpamAssassin URIBL lookups are likely to be very effective. This is the growing threat against email, given the overall success of DNSBLs against the previous generation of ratware. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
