Enhanced black-list protection

[mickier]

Does Zimbra provide the ability to limit email being sent out by [my] users?

Recently, I've had two episodes about 6 weeks apart, where one of my users' accounts was compromised (I think they responded to the old "you must send me your password or you'll be disconnected" phishing message). Anyway someone logged in as them and sent out a gazillion emails saying "you have won a million bucks, just send me your bank info so I can deposit the money..."

In each case, I didn't find out until the next day by looking at some of the reports (dailyreport etc) but by then our server's ip was already blocked by yahoo, gmail, att, and a bunch of other servers.

Seems to me that it would be very helpful if Zimbra would allow me to set a limit - maybe 400 messages/day or something and if any user hit that limit, it would automatically lock the account and send the admin a warning email? (I believe that gmail and others already do something like this...)

I understand that there is a way to manually do something like this with policyd, and I'm looking at that option for now, but as with any other "manual tweaks" I expect it to break with upgrades, and it's "unsupported"...

Is there another way to catch this type of problem early? What are large zimbra sites doing to avoid getting onto blacklists?

A similar issue would occur if a client's machine gets hit by a trojan or other malware which sends out spam.

I'm just looking for a better solution since it can take days to get off all the bad lists.(!) but just a few hours to get back on !(!)

[LMStone]

Quote:

Originally Posted by mickier

Does Zimbra provide the ability to limit email being sent out by [my] users?

Recently, I've had two episodes about 6 weeks apart, where one of my users' accounts was compromised (I think they responded to the old "you must send me your password or you'll be disconnected" phishing message). Anyway someone logged in as them and sent out a gazillion emails saying "you have won a million bucks, just send me your bank info so I can deposit the money..."

In each case, I didn't find out until the next day by looking at some of the reports (dailyreport etc) but by then our server's ip was already blocked by yahoo, gmail, att, and a bunch of other servers.

Seems to me that it would be very helpful if Zimbra would allow me to set a limit - maybe 400 messages/day or something and if any user hit that limit, it would automatically lock the account and send the admin a warning email? (I believe that gmail and others already do something like this...)

I understand that there is a way to manually do something like this with policyd, and I'm looking at that option for now, but as with any other "manual tweaks" I expect it to break with upgrades, and it's "unsupported"...

Is there another way to catch this type of problem early? What are large zimbra sites doing to avoid getting onto blacklists?

A similar issue would occur if a client's machine gets hit by a trojan or other malware which sends out spam.

I'm just looking for a better solution since it can take days to get off all the bad lists.(!) but just a few hours to get back on !(!)

You could put a relay host in front of your Zimbra box running Postfix and have all email outbound from the Zimbra server filtered through the relay host. (Leave inbound email as is.)

The relay host would be a plain Linux server running Postfix with Policyd.

In that way you wouldn't have to hack Zimbra's Postfix to install Policyd, and if something did sneak out it would be the Postfix Policyd server which would get blacklisted. You could then clean up the problem on Zimbra, remove the Relay MTA in Zimbra so users could send mail, and then work on getting the Relay MTA removed from the blacklists with less time pressure.

If I may, I might also suggest some social engineering training for users. We have had good success with this; No one likes to know that their getting tricked caused everyone in the whole company to be unable to send email during the time it took you to get the Zimbra server off the blacklists!

Hope that helps,
Mark