I'm curious what other people are doing to deal with this… We have policyd running on our smtp relay hosts that customers use. We get an alert when any username sends more than X messages in an hour and deal with it on a case by case basis. For some time, this has worked well. We've had a few cases where the end user's pc is part of a botnet and sending directly, but most of the time it's foreign IPs that have either brute-forced or stolen the user's credentials (presumably by phishing).
In the past month or so though, I've been seeing more and more instances where I get no alerts, and then a few feedback loop reports. If I look at the policyd stats, I'll see some user sitting just below the alert threshold has been sending crap out for hours. I'm not seeing any obvious solution here… Any suggestions? Thanks, Charles _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
