On Mon, 28 Oct 2013 21:42:29 -0400 (EDT) "John R. Levine" <jo...@iecc.com> wrote:
> But outbound filtering is far more useful when it, you know, actually > works. Outbound filtering is far trickier than inbound filtering. Unless you really want to annoy your customers, you have to hold suspect mail (anything scoring let's say 5.0 to 8.0 or so on SpamAssassin's scale) for review rather than rejecting outright. Once you start having more than a few thousand outbound users, you end up spending a lot of time reviewing suspect mail. We take another approach and apply per-sender rate-limits. If a given sender or IP sends to more than X recipients in a given window of time, we hold all mail from that sender/IP and alert. This has enabled us to catch and shut down several phished accounts over the last few months. Rate-limiting also helps if a phished account is used to blast out large quantities of spam that nevertheless are not detected as spam by content filtering. Regards, David.
