Am 16.02.2017 um 11:07 schrieb David Jones: > My mail filters also do a lot of outbound relaying from hundreds > of customer mail servers. Compromised accounts happen and I > have some methods for detecting most of them and block the > sender at the MTA within a few minutes to prevent my server > IPs from becoming listed on RBLs. > > Customer mail servers are currently trusted by IPs on our own > network ranges and have a slight bias toward trust by being in > the trusted_networks. This allows for the proper RBL checks > of the sender IP as long as the customer mail server adds the > proper X-Originating-IP or Received: header of the client. > > The goal is to be able to block most outbound spam with the > usual rules, network tests, and Bayesian scores. However, > these compromised accounts often contain zero-hour email > that score low. > > A common factor for most of these emails is sending with a > high number of recipients often to FREEMAIL recipients. > > Would it make sense for me to setup/manage my own custom > rules for checking the To: header or could the FreeMail plugin > be extended to add new rules like FREEMAIL_TO? > > I understand that the To: header is not the same as the > RCPT TO and the MTA will split emails based on destination. > In this situation, the sending MTA is smarthosted to my > relays and these are compromised accounts on legit MTAs > where headers can be considered reliable. I do see patterns > with sorted recipients and multiple FREEMAIL recipients > that I would like to score on. Then I have a database with > this information that I run SQL queries against to determine > frequency of certain rule hits to find compromised accounts > and block them quickly. > > Thanks, > Dave >
clamav-milter with sanesecurity works fine and fast at outbound but better get an intelligent milter cross outbound smtp servers which is able to identify hacked accounts, for i.e it counts from and to adr, if it fades from normal traffic ,action should be taken etc ,such exists but not as freeware and for sure it must be fitted to your needs Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
