[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.

To: zimbra-hied-admins <zimbra-hied-admins@sfu.ca>
Subject: Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.
From: Steve Hillman <hillman@sfu.ca>
Date: Mon, 22 Aug 2011 08:08:54 -0700 (PDT)
In-reply-to: <9a28d5f4-0646-4a6f-a043-e9e2a7036bff@ksupo8.kennesaw.edu>
List-help: <mailto:zimbra-hied-admins-request@sfu.ca?subject=help> (List Instructions)
List-id: <zimbra-hied-admins.sfu.ca>
List-owner: <mailto:owner-zimbra-hied-admins@sfu.ca>
List-unsubscribe: <mailto:zimbra-hied-admins-request@sfu.ca?subject=unsubscribe>

I've had great success with a milter I put in place a couple of years ago to do rate-limiting for outbound mail. All messages sent from on-campus machines, including our Zimbra system, get processed by the milter via an MTA box running Sendmail. I've configured it to ignore messages with only one recipient, and to ignore  local recipients in the count, which has all but eliminated false positives, even though we cap the limit at only 1000 recipients per day (the milter counts recipients, not messages, making it much more effective against spammers, who tend to send a few messages addressed to 100s or 1000s of recipients). When the rate limit is reached, the messages are still accepted, but are silently quarantined, so the spammer doesn't know we're blocking their mail. As soon as the quarantine queue is non-zero, we get an alert so we can investigate. That allows us to release false-positives quickly (which is rare - a few a year). Since putting in the rate-limiting, our incidence of being blacklisted is way down. It was becoming a regular occurrence but now we just very occasionally find ourselves on smaller blacklists.

Unfortunately the frequency of compromised accounts isn't going down - there's always someone who falls for it. I fear for the day when the phishers are interested in doing more than just sending spam.. 

----- Original Message -----
> Situation: We have staff/faculty on our campus that don't realize that
> you give out your email login data, including password to phishing
> emails. So we get compromised accounts.
> We are in the works of putting an external MTA (barracuda system) that
> our Zimbra email will be filtered through if it leaves campus. Of
> course this may hit some good emails with the bad ones. Though I
> routinely check to see if we have a rogue account they usually have
> 2-4 hours of uninterrupted time, especially during the night hours
> where they can spam their hearts out.
> 
> Question: What solutions do you use to help in those situations?

-- 
Steve Hillman                                IT Architect
hillman@sfu.ca                               IT Infrastructure
778-782-3960                                 Simon Fraser University

References:
- Non Zimbra question and I hope that is ok if this type of thing is not abused.
  - From: Steve Elliott <selliott@kennesaw.edu>

Prev by Date: Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.
Next by Date: Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.
Previous by thread: Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.
Next by thread: Re: Non Zimbra question and I hope that is ok if this type of thing is not abused.
Index(es):
- Date
- Thread