On Tue, 2010-02-16 at 08:44 -1000, Alexandre Chapellon wrote: > Hello the list, > > I have a quite buggy customer network, full of zombie PCs that spends > all days sending spam and wasting the whole "reputation" of my > networks. > 1) Are you already using separate inbound and outbound mail servers?
2) If not, does your mail server have any way of distinguishing the inbound and outbound streams (i.e., are your users sending on the standard SMTP port or on another one)? 3) Do you require all outbound mail to go through your servers and have you blocked users from sending outbound mail directly? 4) When you catch outgoing spam what do you want to do about it? Obvious choices for (4), in order of hitting the infected user with a successively bigger clue stick, are: - silently discard the spam, but you'll also throw away false positives. - silently discard the spam and tell him you've done so on a daily basis - tell your user he's infected and send all the spam back to him - tell your user he's infected, bin the spam and cut him off until his PC is clean. If you haven't decided what to do with the outbound spam yet, it would be a good idea to work that out before doing anything. If (1) or (2) are true, you can run a separate copy of SA for outbound mail, use a different rule set from the one you use on inbound mail, and/or disable RBL checks on it. Since you know where the mail is coming from, there's little point in wasting cycles with RBL checks unless you want to use them to spot forged sender addresses. The answers to these questions should help you figure out what you want to do about users with infected machines and help you decide what to do with the spam they're sending. It will also give us some idea of what to suggest. Martin
