[horde] Email Send Limits To Discourage Spamming

Kevin Konowalec webadmin at ualberta.ca
Thu Mar 19 16:32:19 UTC 2009 

Hi Andy,

This is exactly the problem we were facing.  What I did is I set the  
per-message recipient limit to 50 and the per-day send total limit to  
200 using Horde's built-in permissions.  The rationale was that anyone  
sending more than that should not be using the web mail client - they  
should be using our mailman bulk mailer.  We've found this works  
pretty well (with only a handful of people getting caught by it that  
are legitimate... but when it happens we tell them how to use the  
mailman server and send them on their way.

What I also had to do, though, was to write a hook that sends an email  
to the horde admin address when a user hits the 200 message limit.  I  
send the contents of the a few fields in the prefs as well  that the  
spammers like to hide their payload in so we can tell right away if  
it's a legit user or a spammer.  We've found this to be pretty  
effective... though granted they can get as many as 200 spam messages  
sent out that's the maximum they will be able to send since not only  
does horde prevent them from sending any more for a certain length of  
time but by the time their time in the penalty box expires our admins  
have investigated and disabled the compromised account.


Kevin


On Mar 19, 2009, at 9:51 AM, Andy Dorman wrote:

> We are about to re-open our webmail service for public sign ups and  
> I was wondering if anyone in the group has any thoughts about  
> reasonable limits for sending emails?
>
> FWIW, we actually opened the service up three weeks ago with no  
> sending limits.  That was a BIG mistake.  Within a week the spammers  
> found us and in the space of a few hours sent over 144 thousand bank  
> scam emails and got us blacklisted by just about everyone.
>
> So before we allow more public sign ups we will have max limits on  
> recipients per email and per 24 hour period.
>
> Has anyone else found it necessary to set limits?  And if so, what  
> limits have you found effective in slowing the spammers without  
> upsetting too many of your good users?
>
> Also, will anyone be interested in the code we used for blocking  
> sending per email and per time?  Since we use OpenLDAP and Memcachd  
> already, we elected to use prefs (that are locked/not adjustable by  
> the user and can be loaded from LDAP) to set default and per-address  
> limits and memcache to track the recipients sent to per 24 hr block.
>
> If anyone is interested, I would be happy to either send in the  
> actual code (not much was needed thanks to how Horde/imp is already  
> set up) or figure out how to do a patch against the current CVS code  
> (we use Bazaar).
>
> Thanks for any thoughts from those of you that have experience with  
> email sending limits.
>
> -- 
> Andy Dorman
> Ironic Design, Inc.
> AnteSpam.com, HomeFreeMail.com, ComeHome.net
> --
> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>

More information about the horde mailing list