postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: anvil stats/restictions based on SASL username?

anvil stats/restictions based on SASL username?

From: Cassidy Larson <alandaluz_at_nospam>
Date: Wed Oct 27 2010 - 00:21:19 GMT
To: postfix-users@postfix.org

We had an incident today where we had a user with a compromised
machine. Their email/pass made it back to some botnet which proceeded
to SASL auth to our mail servers and send numerous spam messages from
many different hosts. The spamming hosts didnt trigger our
smtpd_client_recipient_rate_limit setting, because of the many
different hosts (all with the same SASL user authenticated) that they
used.

This got me wondering if there's any easy way to have anvil report
stats based on the authenticated SASL username, in addition to the
remote IP address?

This would help me prevent/monitor potential addresses that are being
used by a botnet system to relay mails through my mail server.

Or even better if there was a way to make a similar feature like the
"smtpd_client_recipient_rate_limit" setting that'd
match/restrict/prevent based on the authenticated SASL username?

Thoughts? Suggestions?

Thanks,

-c