My mail filters also do a lot of outbound relaying from hundreds of customer mail servers. Compromised accounts happen and I have some methods for detecting most of them and block the sender at the MTA within a few minutes to prevent my server IPs from becoming listed on RBLs.
Customer mail servers are currently trusted by IPs on our own network ranges and have a slight bias toward trust by being in the trusted_networks. This allows for the proper RBL checks of the sender IP as long as the customer mail server adds the proper X-Originating-IP or Received: header of the client. The goal is to be able to block most outbound spam with the usual rules, network tests, and Bayesian scores. However, these compromised accounts often contain zero-hour email that score low. A common factor for most of these emails is sending with a high number of recipients often to FREEMAIL recipients. Would it make sense for me to setup/manage my own custom rules for checking the To: header or could the FreeMail plugin be extended to add new rules like FREEMAIL_TO? I understand that the To: header is not the same as the RCPT TO and the MTA will split emails based on destination. In this situation, the sending MTA is smarthosted to my relays and these are compromised accounts on legit MTAs where headers can be considered reliable. I do see patterns with sorted recipients and multiple FREEMAIL recipients that I would like to score on. Then I have a database with this information that I run SQL queries against to determine frequency of certain rule hits to find compromised accounts and block them quickly. Thanks, Dave
