On 15/11/2016 21:09, Volker Cordes wrote:
I just stopped our server from sending out spam mails. A password from one of our customers was hacked or somehow leaked so that the mails were sent by an authenticated user. Now I was wondering if it is possible to block users that authenticate themselves from a lot of different IP addresses in a short timespan or to implement blocking using geoip-services (99% of our customers are based in germany).
I use the following, http://wiki.policyd.org/start with the quota module activated.Then there is this cron script (found from the internet) that sends an email to the administrator once the user starts sending more that 50% of the limit set.
#!/bin/bash #parameters: # 0.5 ... if counter is above 50% of the limit # timestampdiff() <= 1 ... seen in the last hour #if there are no results the output is empty, otherwise cron sends the #result per mailecho "select TrackKey, FROM_UNIXTIME(LastUpdate) as LastSeen, Counter, CounterLimit, Counter / CounterLimit * 100 as Percentage from quotas_tracking left join quotas_limits on quotasLimitsID = quotas_limits.ID where Counter / CounterLimit > 0.5 and TIMESTAMPDIFF(HOUR, FROM_UNIXTIME(LastUpdate), CURRENT_TIMESTAMP()) <= 1 order by counter desc;" | mysql --user=databaseuser --password=password database
P.V.Anthony
smime.p7s
Description: S/MIME Cryptographic Signature