[BlueOnyx:19717] Re: prevent user from sending e-mail in /etc/mail/access

[Michael Stauber]

Hi Meaulnes,

> But that user is still sending out tons of mails if I enable it again
> (unchecking «Suspend» in the GUI), thousands in a couple of hours

Yeah, in that case it would be best to suspend him until the time that
the user has cleaned up his infected PC.

You've done some good work there identifying the problem. But we also do
have some software that can help with identifying, warning about and
limiting the effect of the problem:

The AV-SPAM has an extra called Milter-GeoIP. This performs several
functions:

1.) Check if senders of emails relaying through your server are from a
list of allowed countries. If not, it's possible to block them from
using your server to send emails. Accounts can also be automatically
suspended if they are being used from blacklisted countries, as this
would indicate a compromise of the account. Or a very prolific traveller.

2.) Vsite and User email quotas: Each Vsite (and User) can be configured
to have an allowance of how many emails they may send through your
server in a 24 hour period. If that quota is almost reached (75%), a
warning is send to you and the user. If the quota is exceeded, then no
more emails can be sent by that user (or the Vsite) for the rest of the
day. Likewise Active Monitor will let you know about this.

3.) Milter-GeoIP keeps a very exact tally about how many emails a Vsite
(and Users) have sent and received. So identifying a culprit is then as
easy as going to "Active Monitor" and checking "Email Traffic Monitor".

With these measures in place (and active!) you'll have an easy time to
learn early on if some fishy email activity is going on and can then
take further actions if need be.

How this is configured? If the AV-SPAM v6.1.0 or v6.2.0 is installed: Go
to "Network Settings" / "AV-SPAM" and see the "Services" tab.
Milter-GeoIP should be enabled.

In the "GeoIP" tab review the "Daily Limits for Email-Sending". You may
want to adjust them to lower numbers. For very active Vsites (or
individual Users) you can set them higher in the Vsite or User email
settings of the respective Vsites and User management.

Tick the checkbox "Enforce Email Limits". That will activate the feature
that limits how many emails Vsites and Users can send per day.

If you want to take it a step further to block that your server is used
to relay emails from blacklisted countries? Review the Black- and
Whitelisted countries and adjust the checkboxes to your liking. Then
tick "Block Blacklist entirely" (if you want to block) or leave it off
if you just want to get warned by Active Monitor.

To allow a Vsite individual email traffic settings see "Site Management"
/ "Services" / "Email".

To allow a User individual email traffic settings see "Site Management"
/ "User Management" / "User List" and click on the User in question.

In both cases "Enforce Email Limits" must be ticked and the allowance
can then be adjusted to your liking.

If a user tries to send more emails than allowed, the SMTP service will
send him a an error message that all SMTP clients can understand. The
message is very clear and says something like "You already sent more
emails today than you are being allowed to." The usual email clients
will show this exact message to the end user, so there should be no
confusion for him why he's unable to send more.

-- 
With best regards

Michael Stauber