Re: Filtering outgoing email

[Steve Bohrer <skbohrer () SIMONS-ROCK EDU>]

Hi Joe,

I realize it's been a few months since your message to the security
list, but I'd flagged it when I first read it, and just now got back
to it. I'd love to see your bounce-counting script for detecting
spamming accounts. Strikes me as a clever and elegant approach, and
also seems easy to implement for a small school that doesn't have
much in the way of monitoring.

I'm actually the help desk at Simon's Rock, and am in the process of
moving into network support, but I'll pass your script to our sysadmin.

Thanks,

Steve Bohrer
ITS User Services,
Bard College at Simon's Rock
413-528-7645

On Jun 23, 2009, at 10:46 AM, Joe Vieira wrote:

> We do two things here.
>
> Both of which work VERY well, both are free and have been super
> reliable.
>
> the first of which is http://code.google.com/p/anti-phishing-email-
> reply/ the use of this. We loop outgoing mail thru another postfix
> instance to filter based off this project's list of phishing reply
> addresses. If you mail to a known phisher, your mail gets dropped.
> good protection.
>
> the second is a script that runs a looks for a high number of
> bounced messages, a sure sign that you're spamming. if you exceed
> the threshold your account gets locked and you can't send more
> mail. to stop the bleeding. We have only had one compromised
> account since we put the anti-phishing reply stuff in place, and it
> was caught and cleaned automatically less than an hour after it
> happened, we sent less than 1000 spam's which is pretty dang good.
>
> if anyone is interested in using either of these processes, I'm
> happy to share code / set up instructions.
>
> Joe Vieira
> Manager Systems Administration
> Clark University - ITS
>
> Gregg, Christopher S. wrote:
> > We're using MailMarshal to watch for spikes in e-mail traffic, and
> > we're moving forward with plans to filter outbound e-mail in
> > general using the tool as well.  The thinking is that it will add
> > two additional checks against phishing schemes.  One, it might
> > catch the initial response to the phishing e-mail (because no
> > amount of education seems to be able to stop all responses) and
> > two, it should help stop or slow the use of the compromised
> > account to send spam.  Our testing has shown that we will catch a
> > small amount of legitimate (human sent, non-spam) traffic each day
> > with such a solution, but it does not appear to be critical
> > business or academic related content.
> >
> > I think a couple of years ago our community would have been
> > hesitant to filter outgoing mail, but with all of the phishing and
> > being blacklisted by various providers over the last 12-24 months
> > I think people will be OK now.
> >
> > Chris
> >
> > Chris Gregg
> > Director of Information Technology
> > Information Resources and Technologies
> > University of St. Thomas
> > 2115 Summit Avenue
> > St. Paul, Minnesota 55105
> > csgregg () stthomas edu