SASL relay alerts

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

SASL relay alerts

SASL relay alerts So, I've done some searches and reviewed the mailing list and don't find much...
[Though effectively searching this "topic" is difficult, so it's certainly possible I've missed something...]

For example, lfd/cfs allow you to track that user "X" sent Y piece of mail, and it will alert you.
Now I suppose I could setup cfs/lfd on the particular postfix install, but I'm not sure if it's really the easiest/best solution for what I intend.

Essentially, I'm trying to defend against a compromised SASL user being used for spam relaying. [Or perhaps even a stupid user spamming intentionally.]

[All that said, this has happened far less than it used to - I'm not sure if spammers are taking other tactics, of if we're just getting stations "p0wned" less often.]

I know I could 'hard limit' using something like policyd or postfwd and like tools. And that might be appropriate for some very high threshold.
But I'd like to get alerts - probably via - email when lower thresholds are passed.

There are suggestions on monitoring the queue - and those could be successful in the past - but in recent years, not so much. The spammers use the accounts at much lower volumes - instead of dropping 40K messages in the queue all at once, they dole them out a few hundred at a time. So, the queue may never see that many messages all at once.

A more effective alert would likely be one that tracks total messages, say every 24h [or some other arbitrary measure], and alerts when a single SASL user sends more than [for example] 500 messages, and blocks at, say, 5000 messages.

Any suggestions on where to look for these features? (Or is this really not available, and we're talking a "build your own" with something like swatch etc?)