On Mon, 16 Aug 1999, Sweeney, Vince wrote:
> Apart from disabling that users account (which does not stop them just
> creating another), the only way I can think of to easy stop another such
> attack is to somehow limit the # of smtp requests received from a single IP
> address in a given period of time.
>
> If someone can tell me if I can do this with the current exim setup I'd much
> appreciated the help otherwise is this a request for Phil to answer?
The only way you might even approach this is to set queue_only = true so
that all mails accumulate on your queue, and then write your own program
to scan the queue and analyze the messages, and decide which ones you
are prepared to deliver (by calling exim -M). You'd have to write your
own queue-runner process too, which only delivered "approved" messages.
In principle you could use the code in Exim that reads the header file
from the queue (eximon operates like this) but it isn't packaged very
well. Maybe I should work on that so that it is easier to write private
programs to do this kind of thing, though you can of course get at a header
file by running exim -bvh.
Maybe there should be an option in Exim to run a configured
program/script whenever it has received a message, instead of
immediately trying to deliver it.
As for trying to stop this kind of attack - I think it is very
difficult. After all, there are quite legitimate cases of many mails
being sent out in a short time to mailing list subscribers.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
