[horde] Email Send Limits To Discourage Spamming

Joseph Yee jyee at ca.afilias.info
Thu Mar 19 17:00:41 UTC 2009 

You can configure it at MTA (Sendmail can do it) too.  About if limit  
is necessary? It's a must, even Gmail set it.

Cheers,
Joseph

On 19-Mar-09, at 12:32 PM, Kevin Konowalec wrote:

> Hi Andy,
>
> This is exactly the problem we were facing.  What I did is I set the  
> per-message recipient limit to 50 and the per-day send total limit  
> to 200 using Horde's built-in permissions.  The rationale was that  
> anyone sending more than that should not be using the web mail  
> client - they should be using our mailman bulk mailer.  We've found  
> this works pretty well (with only a handful of people getting caught  
> by it that are legitimate... but when it happens we tell them how to  
> use the mailman server and send them on their way.
>
> What I also had to do, though, was to write a hook that sends an  
> email to the horde admin address when a user hits the 200 message  
> limit.  I send the contents of the a few fields in the prefs as  
> well  that the spammers like to hide their payload in so we can tell  
> right away if it's a legit user or a spammer.  We've found this to  
> be pretty effective... though granted they can get as many as 200  
> spam messages sent out that's the maximum they will be able to send  
> since not only does horde prevent them from sending any more for a  
> certain length of time but by the time their time in the penalty box  
> expires our admins have investigated and disabled the compromised  
> account.
>
>
> Kevin
>
>
> On Mar 19, 2009, at 9:51 AM, Andy Dorman wrote:
>
>> We are about to re-open our webmail service for public sign ups and  
>> I was wondering if anyone in the group has any thoughts about  
>> reasonable limits for sending emails?
>>
>> FWIW, we actually opened the service up three weeks ago with no  
>> sending limits.  That was a BIG mistake.  Within a week the  
>> spammers found us and in the space of a few hours sent over 144  
>> thousand bank scam emails and got us blacklisted by just about  
>> everyone.
>>
>> So before we allow more public sign ups we will have max limits on  
>> recipients per email and per 24 hour period.
>>
>> Has anyone else found it necessary to set limits?  And if so, what  
>> limits have you found effective in slowing the spammers without  
>> upsetting too many of your good users?
>>
>> Also, will anyone be interested in the code we used for blocking  
>> sending per email and per time?  Since we use OpenLDAP and Memcachd  
>> already, we elected to use prefs (that are locked/not adjustable by  
>> the user and can be loaded from LDAP) to set default and per- 
>> address limits and memcache to track the recipients sent to per 24  
>> hr block.
>>
>> If anyone is interested, I would be happy to either send in the  
>> actual code (not much was needed thanks to how Horde/imp is already  
>> set up) or figure out how to do a patch against the current CVS  
>> code (we use Bazaar).
>>
>> Thanks for any thoughts from those of you that have experience with  
>> email sending limits.
>>
>> -- 
>> Andy Dorman
>> Ironic Design, Inc.
>> AnteSpam.com, HomeFreeMail.com, ComeHome.net
>> --
>> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
>
> --
> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org

More information about the horde mailing list