IDS Internal Spammer Rules
Question asked by Ryan Wittenauer - 5/2/2019 at 11:56 AM
Unanswered
Curious how the community implements their internal spammer IDS rules.

Currently we have rules in place that block anyone that sends over 200 messages in under 10 minutes.
It's been helpful at catching compromised accounts that can quickly bog down our system to a standstill with spam. 

Anyone else in the community have a setup that works well for them in that they don't also catch legitimate traffic? 


4 Replies

Reply to Thread
1
Michael Replied
We look at 100 in 5 minutes and notify the admin.
1
Employee Replied
Employee Post
Hi Ryan.  We use 100 within 30 minutes and haven't had a compromised account in years.
1
Michael Replied
Rod, do you guys Quarantine, Notify, or Block?
1
Employee Replied
Employee Post
Mike, we just notify.

Reply to Thread