[Mimedefang] Access to sendmail marco client_addr

Richard Laager rlaager at wiktel.com
Mon May 5 15:03:37 EDT 2014

On Mon, 2014-05-05 at 11:03 -0600, Mark Costlow wrote:
> We've found that this approach works and is valuable, although it has
> been tricky to determine what a "safe" number of IPs is to allow.  In
> particular, smartphones roaming around the city tend to look like they
> are connecting from many IPs.  We eventually changed the comparrison to
> consider the number of /24 subnets the IPs were from, which helped.
> (I.e.,, and, all
> count as being from a single subnet).

Thanks to both you and the OP for sharing this interesting idea. I'll
definitely keep this in mind. Here's a bit on a technique we've used:

To quarantine phished accounts, we've implemented something that tracks
the number of new recipients a given sender sends mail to. If that
exceeds a limit over the last (i.e. rolling window of ) 72 hours, then
we lock out the account.

This works remarkably well. I don't think we've ended up on a block list
since, and there have been very few false positives. We've hit a few
people sending to 200 recipients from Outlook. We've been able to
address that by moving them to a mailing list system, which I think is
the right answer for that anyway.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20140505/a7ffc722/attachment-0003.sig>

More information about the MIMEDefang mailing list