On Oct 17, 2012, at 4:51 PM, /dev/rob0 wrote: > On Wed, Oct 17, 2012 at 03:41:08PM -0500, Thomas E Lackey wrote: >> I am looking into a system where one of the [virtual] mail accounts >> was compromised. >> >> Apparently the account, once compromised, was used to send spam >> from overseas hosts. Since the company has no overseas users, they >> asked if it were possible to block outbound/relaying activity from >> all non-US IP addresses, even from authenticated accounts, while >> still allowing inbound SMTP from non-US IPs. And, of course, they >> would like to retain sending from US IPs from authenticated >> accounts. >> >> I am pretty familiar with Postfix, but this combination has me >> scratching my head. Is it doable? > > Not easily, and there is little reason to think it would be very > effective. If you could compile (or query) a list of the IP address > ranges and use it as check_client_access, you have succeeded with > that part of your goal, but you probably have not accomplished the > real goal. What about when the ratware is sending from your user's > US-based computer? > > This issue last came up on this list today, and before that, > yesterday (thanks Jeroen!) The real answer is rate limiting and > content filtering of authenticated senders.
I can add too that if you're using "policyd2" for the outbound rate limiting, it stores the per-user tracking informtion in a database, which makes it really easy to monitor. If you tighten up the rules to something like a few hundred messages an hour and have your existing monitoring system do a simple sql query against the policyd db so you get alerted when someone trips the limit (or starts approaching the limit) you can respond to hijacked accounts pretty quickly and avoid most of the collateral damage. Charles > -- > http://rob0.nodns4.us/ -- system administration and consulting > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
