To set a daily limit in accounts, you can go to your domain (or all of them using shift or TOOL.exe or templates), LIMITS tab and set in the Users section Max msgs out per day to 500 lets say. That means each user can end 500 msgs per day. BTW if this option is greyed out, enable use user limits in global settings.
If limit is reached and they did not send all that email you can be sure a virus did and change their pwd... The error when limit reaches is "we do not relay, account limits apply".
ALSO I do recommend you add a filter that adds X-auth: %%auth_email%% in header. This way, in case of abuse, you can simply double click the message and see who authenticated (usually will be same as sender since you use reject if SMTP AUTH different then sender...). Filter is here: https://suporte.icewarp.c...abecalho-das-mensagens
POP before SMTP is really dangerous. Because user downloaded mail then has x minutes to send. If he has a virus that sends mail, it will be able to. Much better to rely on SMTP AUTHENTICATION where each time you send a message, it uses POP/IMAP password to send. And still there are viruses that authenticate to send spam (botnets, etc). And this is why very important you set a limit on # of emails per day on each account in icewarp...
There are ways to be even more rigid, such as the new 587 submission port (see icewarp f1 help) where you force users to connect ONLY to port 587 and having to authenticate.
Our FAQ in portuguese, you can run it in google translator: https://suporte.icewarp.c...pam-ocorridos-via-smtp
1) Disable POP before SMTP. Reject if local and not authorized is up to you. I dislike it. It avoids only forged SENDER not forged FROM in header (for that you need a filter). So for example, an employee is travelling, its very common for hotels, etc. to block port 25 or force them to use the Hotel's SMTP. In that case Icewarp would refuse email as it came from a local sender that did NOT auth via icewarp. So I prefer it off, although you can always set a bypass if it happens.
2) DNSBLs - I also add barracuda blacklist (bl.barracudacentral.org) but you have to register to it and also use bl.spamcop.net. Both really good lists.
Dont use more then 4 lists total (considering here + in spamassassin/DNSBLs). I use none there.
3) Intrusion: I like to use it in a way to avoid my customers being tarpitted... actually, nowadays I use it as a spam trap system :) See http://forum.icewarp.com/...mp;highlight=intrusion
Anyways if users authenticate SMTP, most of these thing dont occur to legit users, EXCEPT # of connections per minute and RSET (as many clients keep forcing RSETs if for example they get some error).
So if you wanna be safe, do something like the image in this faq: https://suporte.icewarp.c...-ler-logs-do-anti-spam
- Your connections per min is too low. Id put 100 or higher.
- Failed attempts 30 is good. I dont use this, if I would, I would keep high value. because this blocks an IP in case of x failed attempts, so imagine, you can block an entire company if they use same OUT IP because of 1 user putting wrong pwd...
- Your delivery count is high, Id put 5 or so. Thats 1 of the main feature, it blocks dictionary attachs, if over x invalid receipients, block for x minutes and enable cross session and close connections.
- Block size 15 MB - too low. The idea with this feature is to avoid people sending HUGE files to yoru customers. So put like 150 MB. ITs because SMTP (not ESMTP) has to receive entire message before knowing size. So if your system is receiving (from out to IN) a msg over x megabytes, block user's IP.
Hope it helps.
PS - if you want we can move this discussion over to icewarp forum :)
post edited by Luca2 - 2012/11/09 09:20:04