Re: [exim] Use spamGuard with Exim

On Wed, 11 May 2005 torsten@??? wrote:

> This is brilliant idea. Do you mind if I pipe our Exim mainlog file to
> your terminal so you can spot these users right in time and alert me to
> suspend their accounts?

Ah right. You're not talking about particular known users with a problem,
you are talking about the general case, or the theoretical problem then?

> It basically monitors the log file every five minutes and counts how many
> emails a user has sent. If this goes over a certain threshold (say 20
> emails in a five minute interval) that user will end up a on throttling
> list meaning any further emails will be delayed.
...

Try searching the archives for "rate limiting" or similar phrases, as this
has been discussed before. (I should do the same, since I have been
pondering a similar question recently).

I'm guessing that spamguard processes the logs of these other MTAs and
keeps a track of sending IPs over time and other data. It shouldn't be
too hard to write it to parse exim mainlog as well. Alternatively, maybe
you could pre-process an exim log file to make it look substantially
(enough) like the format of one of the other programs' logs.

> If he hits the next threshold the user will get temporarily suspended
> and the admin alerted via email to take care. Which usually means: Talk
> to the user, find out if this is due a virus infection or if the user
> really is a bad guy.

Would the user admit to being a bad guy? Also, educate your users not to
save their password in their mail client, type it in when it starts up.
That will probably alleviate some of the problem.

> The rationale is: A spammer will have a hard time sending more than a
> couple of dozends of mails before we will automatically be stopped, and
> this without any human intervention.
>
> On the other hand, hardly any "normal" user will have to send more then 20
> mails every five minutes, will he? For mailing lists and special users
> there is a whitelist of priviledged accounts which do not fall under this
> limits.

What happens when one of those privileged accounts is the one being
compromised/become a bad guy? I can well imagine that more people than
you might imagine like to send a message to a whole bunch of folks.

As the esteemed Alan Flavell will point out, dealing with spammer tactics
is an arms race. Whatever arbitrary limit gets recommended as a
threshold, the spammers will probably adjust to it in time. Given the
numbers of computers a trojan or worm working under a particular
spamgang's direction can compromise, it actually doesn't need very many
emails over a given amount of time from any particular machine to send a
lot of mail as a whole. The slower they do it, and to fewer recipients,
for each machine, the less likely it is you'll spot them. Meanwhile,
adjusting thresholds to try to catch them means inconveniencing more
people as you approach the sorts of numbers and frequencies that typical
email users use.

Not that that means you shouldn't try, though.

You are, of course, virus-checking mail these machines are sending to at
least limit further propagation of nasties by that method?

Forgive me, this is my cantankerous day for the week.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK