[horde] Email Send Limits To Discourage Spamming

Kevin Konowalec webadmin at ualberta.ca
Thu Mar 19 18:03:53 UTC 2009 

Yes you can do this at the MTA level.  The reason we do it at the  
horde level is that a different group is in charge of the central  
mailservers here so it's a bit more cumbersome.  Doing it through  
horde is fast and easy and that means we don't have to bug the mail  
admins every time we get a compromised spam account.

K



On Mar 19, 2009, at 11:00 AM, Joseph Yee wrote:

> You can configure it at MTA (Sendmail can do it) too.  About if  
> limit is necessary? It's a must, even Gmail set it.
>
> Cheers,
> Joseph
>
> On 19-Mar-09, at 12:32 PM, Kevin Konowalec wrote:
>
>> Hi Andy,
>>
>> This is exactly the problem we were facing.  What I did is I set  
>> the per-message recipient limit to 50 and the per-day send total  
>> limit to 200 using Horde's built-in permissions.  The rationale was  
>> that anyone sending more than that should not be using the web mail  
>> client - they should be using our mailman bulk mailer.  We've found  
>> this works pretty well (with only a handful of people getting  
>> caught by it that are legitimate... but when it happens we tell  
>> them how to use the mailman server and send them on their way.
>>
>> What I also had to do, though, was to write a hook that sends an  
>> email to the horde admin address when a user hits the 200 message  
>> limit.  I send the contents of the a few fields in the prefs as  
>> well  that the spammers like to hide their payload in so we can  
>> tell right away if it's a legit user or a spammer.  We've found  
>> this to be pretty effective... though granted they can get as many  
>> as 200 spam messages sent out that's the maximum they will be able  
>> to send since not only does horde prevent them from sending any  
>> more for a certain length of time but by the time their time in the  
>> penalty box expires our admins have investigated and disabled the  
>> compromised account.
>>
>>
>> Kevin
>>
>>
>> On Mar 19, 2009, at 9:51 AM, Andy Dorman wrote:
>>
>>> We are about to re-open our webmail service for public sign ups  
>>> and I was wondering if anyone in the group has any thoughts about  
>>> reasonable limits for sending emails?
>>>
>>> FWIW, we actually opened the service up three weeks ago with no  
>>> sending limits.  That was a BIG mistake.  Within a week the  
>>> spammers found us and in the space of a few hours sent over 144  
>>> thousand bank scam emails and got us blacklisted by just about  
>>> everyone.
>>>
>>> So before we allow more public sign ups we will have max limits on  
>>> recipients per email and per 24 hour period.
>>>
>>> Has anyone else found it necessary to set limits?  And if so, what  
>>> limits have you found effective in slowing the spammers without  
>>> upsetting too many of your good users?
>>>
>>> Also, will anyone be interested in the code we used for blocking  
>>> sending per email and per time?  Since we use OpenLDAP and  
>>> Memcachd already, we elected to use prefs (that are locked/not  
>>> adjustable by the user and can be loaded from LDAP) to set default  
>>> and per-address limits and memcache to track the recipients sent  
>>> to per 24 hr block.
>>>
>>> If anyone is interested, I would be happy to either send in the  
>>> actual code (not much was needed thanks to how Horde/imp is  
>>> already set up) or figure out how to do a patch against the  
>>> current CVS code (we use Bazaar).
>>>
>>> Thanks for any thoughts from those of you that have experience  
>>> with email sending limits.
>>>
>>> -- 
>>> Andy Dorman
>>> Ironic Design, Inc.
>>> AnteSpam.com, HomeFreeMail.com, ComeHome.net
>>> --
>>> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>
>>
>> --
>> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
> --
> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>

More information about the horde mailing list