postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: reverse greylist

Re: reverse greylist

From: Len Conrad <lconrad_at_nospam>
Date: Wed Oct 13 2010 - 22:06:26 GMT
To: <postfix-users@postfix.org>

>At many Universities there is a continual problem with accounts being phished and used to send spam. We have a number of measures that catch stolen accounts but they take a little bit of time to block outgoing email.
>
>Ideally I'd like to hold email to either a new address or a new address,sender,sender ip triplet like greylisting uses. Even holding for a minute would give us enough time to lock the account and remove all incentives to phish our accounts (I hope).
>
>Is anyone aware of of a greylisting type policy server that can use a specific header, containing the sender ip, or one that just uses the destination address?
>

We solved our cracked passwords with sender rate limiting.

I looked back 30 days of maillogs, and harvested all the legit senders who send large volumes, and "whitelisted" them from below.

I used postfwd rate limiting to HOLD on our outbound gateway any other senders that send more that x msgs in y minutes. Monit emails me with the HOLD (which should always be empty) gets 10 items.

We delete the HOLDed crap, and add new legit volume senders to the whitelist and release their msgs from HOLD queue.

So with a password crack, we end up with 150K msgs in our outbound HOLD queue, rather than sending out 150K of garbage.

Len