On Wed, Dec 12, 2012 at 08:18:34PM +0530, Ram wrote: > Our client's postfix servers are being frequently getting attacks > using compromised accounts > In most cases it seems the spammer simply uses a phished > username/password , sends a whole lot of 419ers until we manually > change the password , but the damage is already done > > Implementing ratelimits is not really helping because ultimately > the mail will go through after the anvil time.
Rate limits help a great deal if you use the right tool for the job; anvil(8) is not the right tool. As others suggested, postfwd is capable of this. Another choice is policyd. > Since the legitimate users are extremely low email users , I > can safely block "anyone" permanently who sends more than 1 > mail in 10s with zero FP's > > How can I do this ? I would check the SASL credentials, and when used in excess of your chosen time limit, reject or hold anything from that SASL user until manually reviewed. The choice of reject or hold depends on local considerations: do you want phone calls from a frustrated real user who inadvertently triggered the limit somehow? Do you want forensic evidence of the malware? -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
