On 3/3/20 3:40 AM, Marc Roos wrote:
No problem I would say, it is good exchange thoughts and idea's
Agreed.
Strange your webmail should be on https then it is difficult to catch passwords. I do not have this at al, that peoples passwords get stolen. Hardly ever. So maybe somewhere something is wrong in your setup. Maybe spammers get access via a remote exploit? I do not think this is a common problem.
I suspect that key loggers, or malicious browser add-ons, more nefarious things (MitM proxies) are partially to blame.
Please remember, that you are causing work for these companies. Someone is complaining. And someone is adding your ip to the blacklist. They get harassed why the shit is getting through their spam filters.
True.
I would also ask amazon to pay me a few thousands for wasting my time constantly.
~chuckle~
Sendmail has a nice filter that rate limits a user. I was always thinking of implementing this, when I run into a situation as yours.
I thought that Sendmail had a per authenticated user rate limit. If it doesn't, I expect that a milter could be created to do that with little effort.
I wonder if it would be possible to combine this rate limiting with quarantining. That way the messages could be received from the client and held on the server. Client's would likely be none the wiser. You could then look at the count of quarantined messages and take action based on that. You could also have an automated job that would email the authenticated user when their messages were being quarantined; i.e. they sent > X number of messages in the last Y hours. (25–50 & 24 seems like a start. Check your logs for better numbers.)
Things you should consider:- investigate what clients mostly have these problems. Give them a sperate outgoing server. This way when it happens again not everyone's email is blocked.
Hum. This seems somewhat problematic. How do you propose using different SMTP servers based on authenticating client /without/ reconfiguring clients or playing DNS games? It seems like the front line MSA would need to conditionally route messages to the next SMTP server based on behavior & sending rate.
ps. When I get spam I put the whole /24 range on the blacklist. So maybe get ip's in different ranges.- filter your logs of the last year that have outgoing spam. You wil see same ip ranges. Put all of them on your outgoing mailservers dns blacklist so they cannot connect.- google for outgoing milters. You get blacklisted on the bigger rbl's after sending a lot of spam.
At the risk of using buzz words, I wonder if anyone has applied A.I. / M.L. to authenticated user / sending address / recipient address tuples.
Do you have any idea if the abusers are using different from addresses (envelope and / or header) not associated with the authentication credentials? It might be a low hanging fruit to associate authentication credentials with the from addressees.
Do you filter on outbound messages? Make sure that you aren't violating SFP / DMARC / spam / viruses.
A user is not sending 100 emails a day.
Most users don't. I'm sure that I have done that in the past, though rarely.
Good luck, fighting these spammers!!!
+1 -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
