Ryan,
> I am trying to implement an anti-phishing strategy and was hoping some of
> you could point me in the right direction. I want to keep track of how many
> recipients a user sends mail to on a 24-hour basis. When a given threshold
> is met, that user's email would then go into quarantine until an admin
> releases it. Thing is, I'm not sure where to begin...
>
> Breaking this down into bite-size chunks I see the following ahead of me:
>
> 1. Track the number of recipients that are sent mail on a 24-hour per-user
> basis. 2. If the number of outgoing email transmissions for a user crosses
> the preset threshold, add a header to the email. 3. If the header is seen,
> quarantine the message.
> 4. Notify an admin
> 5. Allow an admin to delete or release the quarantined emails.
>
> I'm starting into number 1 for now but am at a loss at the moment. My
> thought would be to update a MySQL table with the recipient count found in
> each message. How to do this escapes me.
>
> I am aware that SpamAssassin can't perform all of these tasks.
Indeed, the recipients of a message are passed from MTA to MTA in the
SMTP 'envelope' and not in the mail header section. The To and Cc
mail header fields may or may not bear any relationship with the
actual list of recipients of a message. This is especially so for spam mail
(and for mailing lists), so you need to collect these numbers from
where they are still available.
> My understanding is that amavisd will handle the ones SA can't. If anyone
> could help with any part of this, I would greatly appreciate it.
/etc/amavisd-custom.conf :
package Amavis::Custom;
use strict;
BEGIN { import Amavis::Util qw(do_log) }
sub new {
my($class,$conn,$msginfo) = @_;
my(@recip_objects) = @{$msginfo->per_recip_data};
do_log(0, "Mail from %s, number of recipients is %d",
$msginfo->sender, scalar(@recip_objects));
# do whatever you want with this number here
bless {}, $class;
}
1; # insure a defined return
Put the following somewhere in amavisd.conf:
include_config_files('/etc/amavisd-custom.conf');
Mark
