Outbound spam control

[Andy Hooper <hooper () POST QUEENSU CA>]

We have inbound spam reasonably well controlled with Barracuda "appliances", but have had a couple of incidents 
recently where compromised PCs used our a central mail server to distribute outgoing spam. This resulted in the mail 
server being put on a black list used by some large residential service providers. We were able to get it unlisted 
within a day, but there was a good bit of effort taken in responding to complaints about rejected mail. We are also 
concerned about the potential for more severe incidents in the future -- with about 14,000 active machines on our 
network, including ResNet, another compromise is virtually a certainty.

The options we have come up with are:

- Use a Barracuda unit to scan outbound mail. This would need a process to deal with false positives, such as 
quarantining. We currently use tagging, not quarantining, on inbound, so this would be a new process to introduce and 
explain.

- Use submission rate limiting on the mail server.

- Prepare an emergency mail relay server through which outbound mail could be rerouted in the event the main server IP 
address is black listed. There is a long reaction time with this.

If you have done something to address this problem, we would appreciate hearing what you have done.

- Andy Hooper - Queen's University at Kingston -