Le mardi 16 février 2010 à 20:29 +0000, Martin Gregorie a écrit : > On Tue, 2010-02-16 at 08:44 -1000, Alexandre Chapellon wrote: > > Hello the list, > > > > I have a quite buggy customer network, full of zombie PCs that spends > > all days sending spam and wasting the whole "reputation" of my > > networks. > > > 1) Are you already using separate inbound and outbound mail servers? >
yes of course > 2) If not, does your mail server have any way of distinguishing the > inbound and outbound streams (i.e., are your users sending on the > standard SMTP port or on another one)? > > 3) Do you require all outbound mail to go through your servers and have > you blocked users from sending outbound mail directly? I can't block users from sendin directly.... I am an ISP my users are free to use another relay than mine... eg google or yahoo or some mails relay of their own hosted i don't know where. > 4) When you catch outgoing spam what do you want to do about it? > DROP! > Obvious choices for (4), in order of hitting the infected user with a > successively bigger clue stick, are: > > - silently discard the spam, > but you'll also throw away false positives. Using before queuing filtering (on postfix) I reject the mail at SMTP time so the client gets an error (550 i guess) an so is aware (as far as a user can be aware of anything) his mail has been refused. > - silently discard the spam and tell him you've done so on a daily basis I don't want to do something like this. > > - tell your user he's infected and send all the spam back to him > > - tell your user he's infected, bin the spam and cut him off until > his PC is clean. I will, based on feedback loop mail processing. But that's another stuff. > If you haven't decided what to do with the outbound spam yet, it would > be a good idea to work that out before doing anything. > > If (1) or (2) are true, you can run a separate copy of SA for outbound > mail, use a different rule set from the one you use on inbound mail, > and/or disable RBL checks on it. Since you know where the mail is coming > from, there's little point in wasting cycles with RBL checks unless you > want to use them to spot forged sender addresses. > > The answers to these questions should help you figure out what you want > to do about users with infected machines and help you decide what to do > with the spam they're sending. It will also give us some idea of what to > suggest. Indeed thoose questions (I already asked myself) are the first to setting up something efficient and too borring for users. It's good to see people who try to have a "global" view of the problem. > > > Martin > >
