On Mon, 14 Aug 2006, Thomas Lindell wrote:
Every now and again one of my bonehead customers get's a trojon that starts shooting out spam message like crazy. I usualy catch it withen a few hours but I am wondering if there's a way for me to scan messages my customers send and drop them or bounce them back if there detected as spam.
What about enabling some sort of connection rate throttling (keyed by IP address) in your MTA? I believe sendmail has such a feature. Then, scan the log messages and alert the on-call person (you?) if some client machine starts connecting to send outgoing messages more than seems reasonable. If it's only every now and then, it might not be that bad to have to respond to it manually. You could check the logs to see if the traffic is really malicious (rather than someone using e-mail as an instant-messenger substitute), and if so, cut them off. Of course, this only works for certain classes of customers. If you're an ISP and your customers each have one desktop computer, it works great. If your customers have 100 users and their own mail server, it doesn't work as great... - Logan
