Re: Outbound mail filtering on large mail / web server farms - just an idea or two that I have

[Tony Finch <dot () dotat at>]

On Sun, 20 Nov 2005, Suresh Ramasubramanian wrote:
> For extra points you could do smtp auth on the filtered smarthost as well, to
> help you jump on issues faster. Set it up so the user's local uid/gid gets
> used to auth to the remote exim box .. centralized ldap or mysql userdb does
> the trick for that.
>
> That way spammers cant spam out direct through cgis - but peoples
> normal email and script generated traffic goes out just fine through
> your filtered gateways.

Our most common successful spam incidents involve exploited
vulnerabilities in web forms. It's difficult for spammers to get email out
of our network, because we block port 25, our MXs only accept incoming
email, and our outgoing relays have names that spammers can't be bothered
to find out. However, web forms come preconfigured, so if the spammer can
exploit it they don't have to know anything about our email setup. Secure
SMTP between the web server and the outgoing relay won't help.

Recent versions of Exim have a rate-limiting feature which I am using to
mitigate this vulnerability - though it's hard to deploy without
disrupting legitimate users.

Tony.
-- 
f.a.n.finch  <dot () dotat at>  http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
GOOD.