SASL relay alerts

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

SASL relay alerts

SASL relay alerts So, I've done some searches and reviewed the mailing list and don't find much...
[Though effectively searching this "topic" is difficult, so it's certainly possible I've missed something...]

For example, lfd/cfs allow you to track that user "X" sent Y piece of mail, and it will alert you.
Now I suppose I could setup cfs/lfd on the particular postfix install, but I'm not sure if it's really the easiest/best solution for what I intend.

Essentially, I'm trying to defend against a compromised SASL user being used for spam relaying. [Or perhaps even a stupid user spamming intentionally.]

[All that said, this has happened far less than it used to - I'm not sure if spammers are taking other tactics, of if we're just getting stations "p0wned" less often.]

I know I could 'hard limit' using something like policyd or postfwd and like tools. And that might be appropriate for some very high threshold.
But I'd like to get alerts - probably via - email when lower thresholds are passed.

There are suggestions on monitoring the queue - and those could be successful in the past - but in recent years, not so much. The spammers use the accounts at much lower volumes - instead of dropping 40K messages in the queue all at once, they dole them out a few hundred at a time. So, the queue may never see that many messages all at once.

A more effective alert would likely be one that tracks total messages, say every 24h [or some other arbitrary measure], and alerts when a single SASL user sends more than [for example] 500 messages, and blocks at, say, 5000 messages.

Any suggestions on where to look for these features? (Or is this really not available, and we're talking a "build your own" with something like swatch etc?)