[Mimedefang] Access to sendmail marco client_addr
rlaager at wiktel.com
Mon May 5 15:03:37 EDT 2014
On Mon, 2014-05-05 at 11:03 -0600, Mark Costlow wrote:
> We've found that this approach works and is valuable, although it has
> been tricky to determine what a "safe" number of IPs is to allow. In
> particular, smartphones roaming around the city tend to look like they
> are connecting from many IPs. We eventually changed the comparrison to
> consider the number of /24 subnets the IPs were from, which helped.
> (I.e. 22.214.171.124, 126.96.36.199, and 188.8.131.52, all
> count as being from a single subnet).
Thanks to both you and the OP for sharing this interesting idea. I'll
definitely keep this in mind. Here's a bit on a technique we've used:
To quarantine phished accounts, we've implemented something that tracks
the number of new recipients a given sender sends mail to. If that
exceeds a limit over the last (i.e. rolling window of ) 72 hours, then
we lock out the account.
This works remarkably well. I don't think we've ended up on a block list
since, and there have been very few false positives. We've hit a few
people sending to 200 recipients from Outlook. We've been able to
address that by moving them to a mailing list system, which I think is
the right answer for that anyway.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: This is a digitally signed message part
More information about the MIMEDefang