[ngw] Ways to prevent internal users from spamming via SMTP?

Ben Knorr bknorr at westminstercollege.edu
Tue Sep 11 15:23:12 UTC 2012


Theoretically, if every two weeks a user's account is hijacked via infected personal computer with IMAP/SMTP client, and it starts sending thousands of messages per hour- what might be the best ways to detect this and to stop it automatically?
 
In theory, we've got a script that parses GWIA logs, looking for unique messages that are sent on a daily basis. Even for high-usage users, it might be less than 20 per day. The violators, it seems, might be sending messages in the thousands to tens of thousands per day. This script we have is fine, in that when we run it, it tells us which account is the problem. The only problem with this, is that it requires a bit more scripting to get it to go automatically and to page/text an admin to alert them to disable the user. From what I've read in the GroupWise docs, the anti-spam and mailbomb protection stuff is all geared towards malicious users from outside of the organization. In our case, my question pertains to malicious users (at least honest accounts which are used maliciously by third parties) from within the organization. It would be best to throttle users mail throughput after they hit a certain threshold, without requiring manual intervention.

Any thoughts, tips, suggestions?
 
-ben


More information about the ngw mailing list