From: John Pettitt (no email)
Date: Tue May 24 2005 - 14:39:17 EDT
As outbound port 25 blocking starts to become prevalent among ISP’s the
zombie armies of spam machines are starting to send via the ISP’s
outbound mail servers. This is going to make many of the rbl lists
obsolete as any per-server filter is too blunt an instrument to filter
this kind of attack.
The obvious place to deal with a hijacked client is at the ISP mail
server – basic rate limiting is one approach. Adaptive rate limiters
would be better but they still won’t solve the problem and run the risk
of upsetting legitimate users (the spike in email caused by the party
invite will always be a problem).
In another life I wrote credit card fraud detection software. On of the
lessons from that business was to look at all the available information.
In an outbound email server it would be really useful to look at the
failure rate. If a given users mail was failing much more than the norm
that would probably be a good indicator of a problem. Now we have DSN in
postfix I’d like to suggest another feature: An interface – similar to
the policy daemon interface- that is called when a message fails.
Obviously postfix would do nothing more than notify the policy daemon
that he message failed and pass on the DSN info. However if the
listening daemon could use that information to trigger alerts and or
rate limits on mail from that outbound user. The interface would need to
pass the message headers and DSN info and the heavy lifting of the
figuring out what to do with it would reside in the policy daemon.
N.B. you can do this – sort of – by log watching but it is less than
Before I go write a patch to do this are there any comments? Good idea?
Bad idea? Why?