Rate limiting?

Recently, we have been victim of a phishing attack (read
http://www.amazon.com/gp/blog/A1XJVH38GHOSHB for details).

I noticed that the squirrel_logger plugin does actually log:

11/19/2008 22:11:43 [MASS_MAILING] idiotuser (charite.de) from 65.49.2.93 (65.49.2.93): Total 340 recipients

but

a) It doesn't notify postmaster, although I configured it to do so

$sl_send_alerts = array(
      'MASS_MAILING'  =>  "Possible outgoing spam: by %2 (%3) at %4 on %6: %7",
);
$sl_alert_to  = array(
      'MASS_MAILING' => 'postmaster@...',
);

b) Logging is fine, but it would be cool to actually BLOCK the user
   from sending mail for e.g. 15 Minutes.

Thoughts? Are there other ways to prevent mass-mailing?

--
Ralf Hildebrandt (i.A. des GB IT)               Ralf.Hildebrandt@...
Charite - Universitätsmedizin Berlin            Tel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-962
Geschäftsbereich IT Standort CBF                     I'm looking for a job!

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

> Thoughts? Are there other ways to prevent mass-mailing?

Have you looked into blocking it via your MTA?  Some of them have quite
reasonable facilities for just this situation.  If you can do it there,
it's a better place than in SM.


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

On Mon, Nov 24, 2008 at 2:24 PM, Ralf Hildebrandt
<Ralf.Hildebrandt@...> wrote:
That's troubling.  I'll try to look later, but any additional help you
can provide by running some internal tests (and watching for errors,
etc.) would be appreciated.  Also, please show all software versions.

The Restrict Senders plugin will actually disable sends from any
account that has sent "mass mailings" to a given number of recipients
in a certain timeframe.  You can certainly use that or rate limit in
the MTA as otherwise suggested.

Any other feedback you have on why the logger plugin didn't notify you
would be helpful.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

* WJCarpenter <bill-squirrelmail@...>:
>
> > Thoughts? Are there other ways to prevent mass-mailing?
>
> Have you looked into blocking it via your MTA?  Some of them have quite
> reasonable facilities for just this situation.  If you can do it there,
> it's a better place than in SM.

Yes, that's probably the better idea, since it applies to all
incjection paths.

--
Ralf Hildebrandt (i.A. des GB IT)               Ralf.Hildebrandt@...
Charite - Universitätsmedizin Berlin            Tel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-962
Geschäftsbereich IT Standort CBF                     I'm looking for a job!

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

Ralf,

Again, please show versions of SquirrelMail and Squirrel Logger.
Also, please show what $sl_mass_mail_limit is set to in the Squirrel
Logger configuration file.

I tested just now and don't see any problems.  Older versions of the
plugin used to use a from address of "noreply", but this was changed
more recently to "noreply@...".  Can you test to see if that
is the problem (does that address get blocked?  do you need to
configure the from address yourself?  what's wrong with noreply - why
is it blocked if it is?)?

>> $sl_send_alerts = array(
>>      'MASS_MAILING'  =>  "Possible outgoing spam: by %2 (%3) at %4 on %6: %7",
>> );
>> $sl_alert_to  = array(
>>      'MASS_MAILING' => 'postmaster@...',
>> );

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

* Paul Lesniewski <paul@...>:

> Again, please show versions of SquirrelMail and Squirrel Logger.

squirrelmail-1.4.15

Squirrel Logger 2.2

> Also, please show what $sl_mass_mail_limit is set to in the Squirrel
> Logger configuration file.

# fgrep -i sl_mass_mail_limit *
config.php:          $sl_dateformat, $sl_send_alerts, $sl_mass_mail_limit,
config.php:   //    MASS_MAILING    Message sent with more than $sl_mass_mail_limit recipients
config.php:   $sl_mass_mail_limit = 80;

> I tested just now and don't see any problems.  Older versions of the
> plugin used to use a from address of "noreply", but this was changed
> more recently to "noreply@...".  Can you test to see if that
> is the problem (does that address get blocked?  do you need to
> configure the from address yourself?  what's wrong with noreply - why
> is it blocked if it is?)?

I guess it might have been blocked due to the invalid sender address.
I configured a valid sender address now.

--
Ralf Hildebrandt (i.A. des GB IT)               Ralf.Hildebrandt@...
Charite - Universitätsmedizin Berlin            Tel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-962
Geschäftsbereich IT Standort CBF                     I'm looking for a job!

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

What do you mean that you configured it?  The plugin has no such
configuration, so I assume you added an alias in your mail system for
"noreply"?  I think I will add a configurable element for that in the
next release (coming in the next week).

Can you change $sl_mass_mail_limit to a very low number and do a quick
test on your own account to ensure that this is in fact the reason it
did not work for you?

Thanks,

   Paul

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

* Paul Lesniewski <paul@...>:

> What do you mean that you configured it?

I changed the code :)

> Can you change $sl_mass_mail_limit to a very low number and do a quick
> test on your own account to ensure that this is in fact the reason it
> did not work for you?

Dangerous, my users will hate me :)
'll try

--
Ralf Hildebrandt (i.A. des GB IT)               Ralf.Hildebrandt@...
Charite - Universitätsmedizin Berlin            Tel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-962
Geschäftsbereich IT Standort CBF                     I'm looking for a job!

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

On Sun, Nov 30, 2008 at 1:09 PM, Ralf Hildebrandt
<Ralf.Hildebrandt@...> wrote:
The plugin only logs things or sends you alerts -- they should never
know.  Just turn the limit down to something like 2, send an email
yourself with 3 recipients, then turn the limit back to what it was.
Should not cause any big problems that I know of.

Thanks for anything you can do to help.

Cheers,

 Paul

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel