> We had an incident when an account was compromised and lot of mail was
> sent from that account over the weekend before we could do anything.
> Do you think if we had rate limit for every sender in place, it would
> have limited the damage? BTW, we don't even get 100 mails/day from
> one particular user, so rate limit for all the user to 100/day would
> have seem to be a good damage control in case of compromised accounts
> in future.
Although we haven't had a second compromise+spam incident here, our
approach to mitigating the damage is primarily this rate-limiting.
Our compromised account sent at a quite high volume and speed, so even a
relatively generous ratelimit that simply slows down message acceptance
to, say, one recipient every ten seconds will likely cut down the impact
quite significantly.
The other observation we made was that our compromised account was used
to send spam with origin addresses not from our domain (eg, the spammer
forged Yahoo origin addresses on it, which worked at the time). As a
result of this we changed our outgoing email gateway to use a different
outgoing IP address for not-us envelope origin addresses, on the principle
that this way we might mitigate the effect of getting the IP address
blocklisted as a spam source.
- cks