mass mails blocker for outgoing

[nORKy]

Hi,

I have many outgoing postfix servers. And only for outgoing mail : all mails come from a "permit mynetwork".

Last few days, someone in the "permit mynetwork" was infected by a worms that sent many many spam mails (to yahoo.com.tw, yahoo.com, and others). Yahoo blocked this mail with a 421 code and so, mails stay in ours queues. It was many millions of mails : our servers was very very slow because it tried to send mails again and again

What can I do ? How control and block when there is a mass mails sender ?
I don't want a spam blocker, just a mass mails blocker (with a temporaly blacklist like yahoo do).

thanks you for your help

 

[SirDice]

It probably means there's something fundamentally wrong with your network. Pretty much all malware uses it's own mechanism to send email. This means an infected machine will try to contact the receiver's mail server directly. How this ends up in your mailservers is somewhat beyond me. That shouldn't happen.

 

[AndyUKG]

I don't use Postfix, but you mean something like:

http://nixcraft.com/mail-servers/3288-postfix-blacklist.html

?

Andy.

 

[nORKy]

It probably means there's something fundamentally wrong with your network. Pretty much all malware uses it's own mechanism to send email. This means an infected machine will try to contact the receiver's mail server directly. How this ends up in your mailservers is somewhat beyond me. That shouldn't happen.

It's not exactly my network. It's our client networks. We can't control clients network. We have a lot of clients

 

[nORKy]

I don't use Postfix, but you mean something like:

http://nixcraft.com/mail-servers/3288-postfix-blacklist.html

?

Andy.

Thanks you

I known that. But I want an automatic mecanism.

 

[AndyUKG]

You can spam scan outbound mail. To automate a blacklist, not sure of any method other than parsing your Postfix logs with a custom script and adding any over active IPs to the blacklist.

Andy.

 

[wblock@]

It's not exactly my network. It's our client networks. We can't control clients network. We have a lot of clients

Let the clients control their own networks, just turn off their connection until they fix their massive security problem. When your network starts getting rejected by major players, you are paying for that client security problem.

 

[nORKy]

Let the clients control their own networks, just turn off their connection until they fix their massive security problem. When your network starts getting rejected by major players, you are paying for that client security problem.

I understand that.
But nobody as an idea to install an automatic blocker ??
Because, last problem append sunday, and I didn't see the "mailqueue growing warning" from nagios. Monday was too late: 2 millions mails in our queue, mail servers very slow, valid mails with many hours late...

 

[SirDice]

Kill the infection, not the results. Find the host that's causing it, clean the machine and have a stern word with it's owner.

 

[wblock@]

Stop the outgoing first. After that, disconnect the bad hosts or subnets so more doesn't come in. Then scan the queue, maybe deleting by IP address. I found this, don't know how useful it is: http://support.novell.com/techcenter/sdb/en/2002/09/hacht_imap_sender_restrict.html

 

[SirDice]

For a malware infection you can use these basic three steps:

1. Identification - You need to know what you're dealing with. An exact name isn't necessary, as long as you know how it got in and how it propagates
   
2. Containment - Isolate the infected hosts so the infection doesn't spread any further, should be easy once you've identified the threat and it's method of propagation
   
3. Eradication - Remove the infection. If necessary patch the systems so they don't get infected again.

 

[nORKy]

ok, thanks you all