Re: Add header based on number of recipients

Wed, 04 Feb 2015 05:59:14 -0800

- Have you identified the e-mail server having those compromised accounts? If yes forbid this server to relay using your Postfix servers. If you don't want or cannot do it... - Then have you identified what e-mail accounts exactly are compromised? If yes temporarily close or disabled those accounts on the sending server. If you don't want or cannot do it... - And if sending accounts are identified, then instructs your Postfix servers to reject all what is sent through them by those compromised sender e-mail addresses...
Preserve your reputation as sending system even if you've to temporarily forbid the sending server causing the SPAM to use your own servers. 


A behaviour of bot SPAM is that they send mass e-mails forging random 
recipient e-mail addresses. that means you probably get an unusual 
amount of bounces or deferred e-mails on your Postfix servers. You could 
find in your Postfix logs the sender e-mail addresses causing the most 
important part of bounces and/or deferred to identify the source of the 
attack and block it at Postfix level.



If, as you wrote, it is a slow attack, a latent one, then try to find a 
tool that will be able to detect it and define Postfix policies on the 
fly as counter measures. You might find Postfix Policy Servers or 
daemons able to provide such kind of feature, like the X-Itools ELSE 
project with its RTAAM engine for example.




Le 04/02/2015 14:34, Dave Jones a écrit :

I have a sneaky spammer that is using compromised accounts of a mail 
server that relays outbound through my Postfix servers.  The spammer 
is Bcc'ing 200 or 300 recipients at a time and sending very slowly to 
avoid my high volume detection.  I need to be able to add a header 
that SpamAssassin can use to score based on a combination of other 
rules.  I also want to maintain the privacy of the Bcc'd recipients.
I am pretty sure this could be done in a milter but I was not able to 
find a milter out there that does this.  I guess I could learn how to 
make a milter that just counts the recipients and add a header.
I was thinking something like an X header that could be set to a value 
("Low", "Medium", or "High") based on a range of recipients.  I could 
probably find a way to get Spamassassin to use the actual number of 
recipients with a plugin if that can be added easily by Postfix or a 
milter.
P.S.  In this instance, this spammer is sending out messages that 
don't score high in SA.  I can usually block outbound spam but he is 
sending test/probe emails until they get through then blasting to a 
lot of Bcc recipients which gets us listed on RBLs.  Also the original 
mail server is an Exchange server that does not add the 
X-Originating-IP or Received headers of the sender so I could key off 
of that in SA.

Thanks,
Dave



<<attachment: hahnn.vcf>>





















					Reply via email to