This is clearly something that you will want to "add" to Postfix.
If you do it any later then the initial attempt to send mail into the users inbox you have not gained anything as the mail has already gone through the pipeline. If you are truly trying to stop resource consumption (which it seems you are), then you need to catch it as early in the game as possible which to me would say if you truly thought this was a good idea (and it wouldn't be for anything larger than even a moderate sized number of users as the amount of data to be tracked for the relatively little gain is hardly worth it in most cases) you will want to hack the Postfix daemon to check/update a counter and timestamp associated to the email address each time it receives the SMTP RCPT TO command. This integration would actually be really useful for stopping delivery for over quota users as well. Otherwise, I would either pass it off as anomolous hardly worth the resources and engineering efforts to defend against, and then wait to see if this practice actually became a larger nuisance than a one time event. For good measure, now that his account has been blocked I would send him an email threatening with abuse of resources and a more stringent quota as a result and request a response informing me of the correction within 72 hours. Check the logs every so often to see if the end user logs in to receive the warning and if not, nuke the account. Since the case tends to be that once you are on the spam list, you aren't getting off of it, there will most likely be nothing the end user can do about it and therefore have their account nuked for abuse anyway. Good Luck, -- Michael -- On Tue, 2001-10-02 at 20:15, Jeremy Howard wrote: > Sorry for the x-post, but I'm not sure if this is best done by Postfix or > deliver... > > Last night we had a user sign up who for some reason used their account to > receive a _lot_ of spam (thousands of messages per minute). I'm curious as > to why this might happen--any suggestions via private email would be > welcome. But that's not the purpose of this post... > > What I'd like to do is avoid this happening in the future. I've manually > added this address with REJECT to check_client_access for now. Now what I'd > like to do is add something that checks how many messages a user has > received in the last n minutes, or in some other way is triggered by an > unusual rate of email to a particular user. I'd want to be able to trigger a > little script based on this hook, which would automatically add the user to > our check_client_access table and notify me that something fishy was going > on. That way my other users won't be effected because Postfix will block the > deluge of messages early on. > > What would be the easiest way to do this? I could use unix_notify in Cyrus > to update a table and check rate with a little Perl daemon, but this seems > like a resource intensive way to do such a simple check... Another extreme > would be a cron job that checks somehow the message rate--but what log to > check? > > How are others dealing with this, if at all? > > TIA, > Jeremy > >
