Your outgoing mail system should have a per-sender stop switch

February 14, 2016

Here is something important we have come around to realize as one result from recent events. Put simply, every system that handles outgoing user-generated email should have some method to immediately stall and stop all email from a specific user. You want this for the obvious reason; when you discover you have a compromised user account that's being used to send spam, you can immediately stop just their email instead of having to take down your entire outgoing email system.

When you implement this, don't just implement the obvious step of refusing email being submitted by blocked user(s). Go the extra distance so that blocking a user also (immediately) stops further processing of any email from them that you have in the mailer's queues. Generally, by the time you detect that a user's been compromised and their account is being used to spam, you're going to have a bunch of email from them queued up in your system trying to get delivered to various places. You really don't want to have to hunt all of this email down by hand to stop it from being sent out; instead, it's much more better if you put a login name or whatever in a control file and all the queued email from them stops dead, with no fuss or muss.

(I wouldn't automatically remove such email from the queue, partly because you may want to inspect sample messages. It's enough that the messages stop trying to be delivered without you having to stop the entire mail system in a panic.)

Usually you'll want to do this based on the authenticated user (generally from SMTP AUTH). In some environments people don't have to authenticate to your outgoing mail server; here the best you can do is base things on, eg, the MAIL FROM. If you're dealing with this situation, you may want to support wildcards (so you can say 'all email with a Hotmail sender address gets stopped'). Spammers often but not always use revolving MAIL FROM addresses where they think they can get away with it, so you need to be prepared for that.

(You may also want to support a per-IP or per-subnet stop switch, especially if you don't have SMTP AUTH to attach reliable identities to submitted email. But things are starting to get intricate here and at some point you're better off just stopping the entire mail system and doing general searches through the queued email.)

Written on 14 February 2016.
« We need to deploy anti-spam precautions even if they're a bit imperfect
SMTP submission ratelimits should have delays too »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Feb 14 02:14:28 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.