From owner-freebsd-questions Sat Jul 14 13:41: 1 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 1698137B406 for ; Sat, 14 Jul 2001 13:40:56 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f6EKeY807775; Sat, 14 Jul 2001 13:40:34 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Brennan Stehling" , Subject: RE: outgoing spam detection Date: Sat, 14 Jul 2001 13:40:33 -0700 Message-ID: <003801c10ca5$3ad72540$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <20010714102047.K33522-100000@home.offwhite.net> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG One thing that is very characteristic of a spam run through a mailserver is lots and lots of failed deliveries to bogus addresses. Spammers aren't real particular about what they send to as long as it looks like an e-mail address. Generally, if you watch your mail queue and see a sudden and giant jump of spooled messages that's a good indication of a mailing problem like a spam run. You could even write a cron job that ran the mailq command once an hour and notify you if you had more than, say 100 queued messages. You might also consider that the thrust of anything you do to detect misuse from your own users should be detection, not prevention. You don't want a spammer on your network even if they are using someone else's mailserver on the Internet. If you lock down your own server then it just encourages the abusers to find someone else's server on the Internet to blow crud through. Better to make it easy as possible for your own users to spam through your own mailserver, in conjunction with close inspection of what your mailserver is doing, it will be much more effective at identifying the troublemakers so you can throw them off the server (or prosecute). The last thing you want is to push them underground it just makes it harder to root them out. After all, we aren't talking about real intelligent people here. :-) Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Brennan >Stehling >Sent: Saturday, July 14, 2001 8:27 AM >To: freebsd-questions@FreeBSD.ORG >Subject: outgoing spam detection > > >Is there an existing way to detect outgoing spam from a server? > >I run a FreeBSD server with qpopper and sendmail and would like to detect >if people are sending out large amounts of mail that could be considered >spam. I think it would also be useful to block this behavior >automatically by limiting a user to only 20 to 100 messages a day, or >maybe 3 a minute. This way I can be sure my server is not being misused >by my own users. It may also be useful to have a user by user quota so I >can adjust the bar for each user. > >I just updated my RBL lists for Sendmail... > >http://www.ordb.org/faq/#sendmail > >...and I would like to take it this extra step. Perhaps if there is no >system to do what I am asking, I could put something together to make this >happen. > >Brennan Stehling - software developer and system administrator > my projects: > home.offwhite.net (free personal hosting) > www.greasydaemon.com (bsd search) > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message