Results 1 to 2 of 2

Thread: Enhanced black-list protection

  1. #1
    mickier is offline Loyal Member
    Join Date
    Dec 2007
    Posts
    84
    Rep Power
    7

    Default Enhanced black-list protection

    Does Zimbra provide the ability to limit email being sent out by [my] users?

    Recently, I've had two episodes about 6 weeks apart, where one of my users' accounts was compromised (I think they responded to the old "you must send me your password or you'll be disconnected" phishing message). Anyway someone logged in as them and sent out a gazillion emails saying "you have won a million bucks, just send me your bank info so I can deposit the money..."

    In each case, I didn't find out until the next day by looking at some of the reports (dailyreport etc) but by then our server's ip was already blocked by yahoo, gmail, att, and a bunch of other servers.

    Seems to me that it would be very helpful if Zimbra would allow me to set a limit - maybe 400 messages/day or something and if any user hit that limit, it would automatically lock the account and send the admin a warning email? (I believe that gmail and others already do something like this...)

    I understand that there is a way to manually do something like this with policyd, and I'm looking at that option for now, but as with any other "manual tweaks" I expect it to break with upgrades, and it's "unsupported"...

    Is there another way to catch this type of problem early? What are large zimbra sites doing to avoid getting onto blacklists?

    A similar issue would occur if a client's machine gets hit by a trojan or other malware which sends out spam.

    I'm just looking for a better solution since it can take days to get off all the bad lists.(!) but just a few hours to get back on !(!)

  2. #2
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,366
    Rep Power
    10

    Default

    Quote Originally Posted by mickier View Post
    Does Zimbra provide the ability to limit email being sent out by [my] users?

    Recently, I've had two episodes about 6 weeks apart, where one of my users' accounts was compromised (I think they responded to the old "you must send me your password or you'll be disconnected" phishing message). Anyway someone logged in as them and sent out a gazillion emails saying "you have won a million bucks, just send me your bank info so I can deposit the money..."

    In each case, I didn't find out until the next day by looking at some of the reports (dailyreport etc) but by then our server's ip was already blocked by yahoo, gmail, att, and a bunch of other servers.

    Seems to me that it would be very helpful if Zimbra would allow me to set a limit - maybe 400 messages/day or something and if any user hit that limit, it would automatically lock the account and send the admin a warning email? (I believe that gmail and others already do something like this...)

    I understand that there is a way to manually do something like this with policyd, and I'm looking at that option for now, but as with any other "manual tweaks" I expect it to break with upgrades, and it's "unsupported"...

    Is there another way to catch this type of problem early? What are large zimbra sites doing to avoid getting onto blacklists?

    A similar issue would occur if a client's machine gets hit by a trojan or other malware which sends out spam.

    I'm just looking for a better solution since it can take days to get off all the bad lists.(!) but just a few hours to get back on !(!)
    You could put a relay host in front of your Zimbra box running Postfix and have all email outbound from the Zimbra server filtered through the relay host. (Leave inbound email as is.)

    The relay host would be a plain Linux server running Postfix with Policyd.

    In that way you wouldn't have to hack Zimbra's Postfix to install Policyd, and if something did sneak out it would be the Postfix Policyd server which would get blacklisted. You could then clean up the problem on Zimbra, remove the Relay MTA in Zimbra so users could send mail, and then work on getting the Relay MTA removed from the blacklists with less time pressure.

    If I may, I might also suggest some social engineering training for users. We have had good success with this; No one likes to know that their getting tricked caused everyone in the whole company to be unable to send email during the time it took you to get the Zimbra server off the blacklists!

    Hope that helps,
    Mark

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Listing Distribution List Members
    By rwjblue in forum Administrators
    Replies: 7
    Last Post: 12-09-2012, 11:33 AM
  2. Replies: 4
    Last Post: 01-29-2008, 08:43 PM
  3. Replies: 1
    Last Post: 01-16-2008, 08:40 AM
  4. white list / black list feature?
    By partypooper in forum Administrators
    Replies: 1
    Last Post: 06-16-2006, 05:56 PM
  5. Lmtp
    By kollross in forum Administrators
    Replies: 22
    Last Post: 11-30-2005, 02:45 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •