Am Mon, 5 Dec 2016 20:52:21 -0500 schrieb Alex <mysqlstud...@gmail.com>:
> Hi, > > I have a postfix-3.0.5 system with a few hundred users. They have > access to submission, webmail, and dovecot to send and receive mail. > > On occasion, user's local desktop are compromised, and with it their > account on this system. This leads to their local desktop using the > submission service to send hundreds or thousands of spam emails > through this compromised account. > > They're only stopped after the user receives a ton of bounce messages, > or we happen to see it somehow while watching logs. > > What mechanisms are available to say, control the number of messages > sent per day or otherwise be made aware of a pattern of messages being > sent by an account that could be indicative of account compromise? > > Thanks, > Alex Hi Alex, I use a policy deamon that registers every mail that is sent by our servers. The metadata is stored in a SQL Database. Every two minutes a cronjob is run which checks the metadata for which sasl_sender has send how many mails. If a sasl_sender surpasses a certain threshold the cronjob automatically blocks this user in our LDAP so that he can't submit any more mails.
