On Wed, Oct 23, 2013 at 07:25:29PM +0200, Pol Hallen wrote: Wietse: > > Try: postfwd or policyd rate limiting. > > Sure! Thanks! A last question: > > real situation: sasl+tls user accounts. > > supposed situation: someone hack an account and take user+pass. > That person do a script like this: > > i=0 > while [ $i != 50 ]; do > echo test | /usr/bin/mail -s "test message$i" "vic...@domain1.org"
mail(1) by default uses sendmail(1), and this would require shell access. There are mailx implementations which can use SMTP and can even AUTH, but your typical spammer is going to be using botnets which AUTH. (Most of these botnets are comprised of Windows hosts. Compromised Unix/Linux hosts are used where possible, but they probably have a different role.) > echo $i > i=$(( $i + 1 )) > done; > > with anvil I can only slow down the spam: Not from sendmail submission. > anvil_rate_time_unit = 10s > anvil_status_update_time = 120s > smtpd_client_message_rate_limit=10 > > but if I modify the script that send an email spam every 5 minutes > I can by-pass anvil rules :-( Yes. > thanks for some advices Focus on real world attacks, and yes, it is possible that future botnet attacks will self-limit their rates. (The ones I have seen spew as much as possible as quickly as possible, their masters knowing that the target mailhost will soon be blacklisted. The goal is to pump out as much spam as possible before that happens.) If/when these botnets start trying to fly under the radar with reasonable send rates, they are still detectable through content filtering. URIBL lookups should catch these. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
