> From: Marc Perkel
> I've been working on outbound filtering and trying to come up with a new
> set of tricks. Outbound filtering is very different than inbound.
>
> Here's the situation. An ISP has thousands of email users and some have
> used week passwords or otherwise been suckered into giving up the
> password. The spammer get access and starts sending spam at the rate of
> thousands per minute.
>
> I can detect the increase in the speed of sending rather quickly but it
> might take say - 5 minutes - to determine if it's a spammer of someone
> with a big email list sending legitimate email - and get that
> information to my servers. During the 5 minutes the spammer would be
> able to send thousands of spams before being shut down.
Another solution is based on the fact that many or most of email addresses
the spammer sends to don't exist. The idea was posted to this list.
My implementation:
LIM = 100
PERIOD = 1h
WARNTO = abuse@???
EXIMBINARY = /usr/local/sbin/exim -f root
SHELL = /bin/sh
untrusted_set_sender = *
local_from_check = false
...
begin acl
acl_check_rcpt:
...
accept hosts = !@[] : +relay_from_hosts
set acl_m_user = $sender_host_address
# or an userid from RADIUS
condition = ${if exists{$spool_directory/blocked_relay_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_relay_users}{1}{0}}
control = freeze/no_tell
add_header = X-Relayed-From: $acl_m_user
accept hosts = !@[] : +relay_from_hosts
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_relay_users; \
\N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
because has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | EXIMBINARY WARNTO"}}
control = freeze/no_tell
add_header = X-Relayed-From: $acl_m_user
accept hosts = +relay_from_hosts
control = submission/domain=
accept authenticated = *
set acl_m_user = $authenticated_id
# in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
condition = ${if exists{$spool_directory/blocked_authenticated_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_authenticated_users}{1}{0}}
control = freeze/no_tell
add_header = X-Authenticated-As: $acl_m_user
accept authenticated = *
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_authenticated_users; \
\N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | EXIMBINARY WARNTO"}}
control = freeze/no_tell
add_header = X-Authenticated-As: $acl_m_user
accept authenticated = *
control = submission/domain=
