Autor: Brian Candler Data: Dla: Doug CC: exim-users Temat: Re: [exim] ACL problem
> Does anyone already have an ACL that does this perchance? After say 50 > messages have been received from an "external" host I'd like them to
> see an error such as "Too many messsages for a non trusted host" (off
> the top of my head .. ).
In the general case, where the external host may open a separate SMTP
connection for each message (and therefore they are received by different
exim processes), it's not trivial. You'd need to open a connection to some
sort of database, increment a count for messages received from that host,
and reject the message if the count is too high.
You would also need some way for high counts eventually to expire. For
example, every 60 minutes you could run a job which multiplies all the
values in the database by 0.8, and removes all rows with a count below a
particular threshold.
You may prefer instead to have a process which looks at your exim log files,
and decides to blacklist hosts based on the number of messages received from
a particular host in a particular period. The input to this process could be
syslog UDP packets, and the output would be a .db file listing blacklisted
hosts, which the Exim acl could query. This would give near-real-time
blocking, and a simple enough Exim config.
It depends on what problem you're trying to solve, and I'm afraid I can't
really see what it is. Are you trying to block mail from common sources,
like aol.com and hotmail.com? Because that's what this approach will
probably do. As an anti-spam measure it's unlikely to work well unless you
have a very large number of users on your system, and you'd probably be
better off using a distributed system like DCC.
If a spammer has a network of 1000 bots and uses them to send out a single
message to everyone on her list, you would need to have 50,000 users on your
system to stand a chance of receiving 50 copies from the same IP address
(and of course, those first 50 copies would be accepted anyway).