Hi Becki, At our site we have a log monitoring script (ad-hoc) which warns us about "mass" authenticated smtp sessions, and also automatically triggers a user disable on certain criteria, in this case:
- That sent emails exceed a threshold on a given time interval, - *That there are numerous originating IP addressess*, and, - That those IP addressess do not reverse-resolve to a hostname. The 2nd rule is quite effective at catching botnets. *The last rule is there because certain huge providers (e.g. gmail) send in parallel from multiple IPs, and can register as a false positive by the 2nd rule.* Automatically taking action based on geo-ip data + a connection number threshold can also be an effective tool if you're mostly in a local (national) environment. Anything coming from outside your country can get extra attention if your userbase mostly communicates in-country. Of course, if your operations are global in scope, this heuristic can trigger many false positives and thus be worthless. It's not a perfect solution (some hundred spam e-mails *do* get sent until the auto-ban kicks in) and its short integrating interval (1 hour by default) means that "trickle"-rate spam can get through. All in all it is a somewhat effective mitigating strategy, and as they say, perfect is the enemy of serviceable. I'd love to hear how other site admins manage this problem :) Kind regards, Daniel On 19/02/2019 11:56, Admin Beckspaced wrote: > Dear Postfix Users, > > just recently the computer of a client got infected with malware and > the email password was compromised. > The bad guys immediately started sending out spam emails via our mail > servers. > > We got notified by our monitoring system a bit later ... and fixed things > > But lots and lots of spam emails have been sent via out mail server. > > How do you protect your mail system against a compromised password and > mass spam mail sending? > > Thanks & greetings > Becki
