2

Recently we've had a spate of "spear-phishing" attacks that many of our users have fallen for, and as a result our automated scripts are running at full steam locking accounts that have been compromised and are sending out spam.

This morning I spent 2 hours dealing with one in particular that seemed to still be sending mail even after the account had been locked and then authentication entirely (and deliberately) broken altogether. Turns out the problem was a huge backlog of deferred messages that Postfix was diligently trying to re-send. As a result I will be updating our script to purge the queues of accounts that it locks to hopefully cut down on the amount of spam that gets sent out before they're detected.

What I'd like to do now is to configure Postfix to automatically defer messages based on certain criteria, such as the number of intended recipients. If it's a legit message it will go out after a delay, but if the account is seen to be sending spam we've got a better chance of catching and deleting it before it gets sent.

Is there a way that I can configure Postfix to defer any message that arrives and exceeds a certain threshold of intended recipients (or other criteria)?

Kromey
  • 3,641
  • 4
  • 25
  • 30

1 Answers1

4

This is not possible with vanilla Postfix. It is designed to send mail. Not to do analyze outgoing mails before sending.

If you need something like that, then you have to introduce external policy filters. One of it is policyd (http://wiki.policyd.org/features) which provides exactly what you want: Quotas, Accounting and ACLs.

mailq
  • 17,023
  • 2
  • 37
  • 69
  • Well, not the answer I was hoping for; since the server's actually a turnkey appliance, adding software to it isn't really an option, and even reconfiguring Postfix was really pushing it. Oh well. – Kromey Oct 10 '14 at 18:39
  • 3
    @Kromey A strange but acceptable work around is to log entries to a central syslog server. There you analyze the flow of mails. If it gets suspicious, disable the login for that user. Or apply firewall rules (as long as you are allowed to do that on the appliance). – mailq Oct 11 '14 at 20:00
  • That's pretty much what our existing script does, it analyzes syslog for (very specific) suspicious activity. In practice it quite often locks an account within 5-10 minutes of the first spam message, but it's shocking how much can go out in so short a time! I was hoping to be able to delay what does go out long enough to analyze the behavior and thus be able to delete them from the queue before they're sent. – Kromey Oct 12 '14 at 03:12