On 06/12/16 01:52, Alex wrote: > Hi, > > I have a postfix-3.0.5 system with a few hundred users. They have > access to submission, webmail, and dovecot to send and receive mail. > > On occasion, user's local desktop are compromised, and with it their > account on this system. This leads to their local desktop using the > submission service to send hundreds or thousands of spam emails > through this compromised account. > > They're only stopped after the user receives a ton of bounce messages, > or we happen to see it somehow while watching logs. > > What mechanisms are available to say, control the number of messages > sent per day or otherwise be made aware of a pattern of messages being > sent by an account that could be indicative of account compromise? > > Thanks, > Alex > If you read the thread "block emails which pretend to originate from my domain", there is a suggestion that stops outbound emails where MAIL FROM is not your own domain.
This might also help Allen C
