[imp] May be our horde installation was used for spam

Paul A Sand pas at unh.edu
Mon May 23 10:08:22 UTC 2011


* G?tz Reinicke - IT-Koordinator <goetz.reinicke at filmakademie.de> [2011-05-23 04:30]:
> hmmm... do you have any hint for me gow to find the userid?

We use the method described here:

    http://www.mail-archive.com/imp@lists.horde.org/msg04736.html

> How may I limit the number of messages a user may send? :-)

I wish we had a better solution, but this is what we have now:

Our experience is that the bad guys have an unusually large number of
recipients per message. We added a check_data rule to sendmail.cf to
quarantine such messages.  (Quarantining is a relatively recent
sendmail feature.)

Unfortunately, this quarantines a lot of valid messages too (in
our case); some innocent people like to send mail to lots of recipients.
So we *also* have mechanisms to auto-dequarantine innocuous messages, saving
more suspicious ones for sysadmin inspection.

All this took some tuning and scripting. But we were desperate, because
way too many of our users aren't very good at detecting phishing.

-- 
-- Paul A. Sand                 | Three things are certain:
-- University of New Hampshire  | Death, taxes, and lost data.
-- pas at unh.edu                  | Guess which has occurred.
-- http://pubpages.unh.edu/~pas |     (David Dixon)


More information about the imp mailing list