[BlueOnyx:20193] Re: bulk SMTP sending

Michael Stauber mstauber at blueonyx.it
Mon Oct 24 13:50:12 -05 2016 

Hi Meaulnes,

> I got the following message from the server admin:
> 
> Subject: SPAM-Alert! (SMTP)
> Mon Oct 24 14:34:23 2016: User from IP 92.104.124.118 sent more than 200
> emails in four hours.
> 
> cool! didn't know excessive SMTP activity was monitored and reported!

It looks like you haven't updated Dfix2 in quite some time. ;-)

The version I once installed for you (many moons ago!) used a modified
rule that was supposed to detect bulk mailing. It was a simple thing
that triggered if the same IP sent more than X emails in Y time via SMTP.

This feature never made it into the official Dfix2 out of the shop, as
the rule was way too strict and it's "one size fits all" approach would
have caused us some grief.

The better approach is to use the AV-SPAM feature "Milter GeoIP". That
(if enabled) keeps accurate track of how many emails an individual user
(or a whole Vsite) sends and allows you to see this in the GUI.

You can also configure it on a per Vsite (and per User) level to
restrict how many emails can be sent by them. If someone tries to send
more emails than that in a single day, then the sending attempt will be
blocked and the user gets a descriptive SMTP error message that tells
him that he has exceeded his daily sending quota.

Furthermore Milter-GeoIP raises Active Monitor alarms if Vsites or Users
are approaching or exceeding their limits and then lets you know who
exactly is the culprit. It also can raise alarms (and either block or
block + suspend!) if user accounts are used for sending emails from
unusual countries.

Example: User "jdoe" always connects from Switzerland, but suddenly his
account is being used from China, Taiwan and Ukraine. Milter-GeoIP can
be configured via the GUI to hollar (or do something pro-actively) if
this happens.

> what I don't is how this could happen... I have set a max of *25*
> recipients per message in the GUI. How could the user /lpiatti/ override
> this?

The logfile snippet doesn't show how many emails he sent in single
attempts. But he sure has sent roughly 200 emails in an hour or two, or
Dfix2 wouldn't have raised the alarm.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list