>
> When a password gets compromised, spam starts to pour out of the
> server from endless numbers of IP's, to endless numbers of addresses.
>
> Rate limiting is interesting but doesn't really stop the spam.
>
> Counting client=[IP] addresses until a threshold is reached
> is highly effective, but then what? Change their password?
>
>
We are using policyd to manage quotas on e-mail send outs. You can also
use a log monitor like swatch to alert you if an account exceeds quota. At
this
point the account can be disabled till the user changes their password.
Also,
policyd supports things like rejecting or holding e-mails if the quota is
exceeded so
spam does not go out anymore. You can also script automatic disabling of
accounts
based on quota violations. We find that blacklisting usually only happens
when a very
large number of spam escapes, so rate limiting per account (e-mail address)
is quite
effective.
