Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Cassidy Larson (alandaluzgmail.com)
Date: Tue Oct 26 2010 - 19:21:19 CDT
We had an incident today where we had a user with a compromised
machine. Their email/pass made it back to some botnet which proceeded
to SASL auth to our mail servers and send numerous spam messages from
many different hosts. The spamming hosts didnt trigger our
smtpd_client_recipient_rate_limit setting, because of the many
different hosts (all with the same SASL user authenticated) that they
This got me wondering if there's any easy way to have anvil report
stats based on the authenticated SASL username, in addition to the
remote IP address?
This would help me prevent/monitor potential addresses that are being
used by a botnet system to relay mails through my mail server.
Or even better if there was a way to make a similar feature like the
"smtpd_client_recipient_rate_limit" setting that'd
match/restrict/prevent based on the authenticated SASL username?