>> Try searching the archives for "rate limiting" or similar phrases, as
this has been discussed before. (I should do the same, since I have
been pondering a similar question recently).
This has been the kind of hint that I was looking for. Thx.
>> I'm guessing that spamguard processes the logs of these other MTAs and
keeps a track of sending IPs over time and other data.
It tracks sender's email addresses. We work from the assumption that you
need to authorize properly to be allowed to send mail. But this is
independent of IP address.
>> It shouldn't be
>> too hard to write it to parse exim mainlog as well. Alternatively,
maybe you could pre-process an exim log file to make it look
>> substantially (enough) like the format of one of the other programs' logs.
In theory not, but
- I don't know the other MTAs formats, so I'd have to study them
- I don't know the spamGuard source code (yet)
- I was hoping someone has either done that or it wasn't necessary because
Exim was using the same format as sendmail / qmail / postfix.
Regards,
Torsten
> On Wed, 11 May 2005 torsten@??? wrote:
>
>> This is brilliant idea. Do you mind if I pipe our Exim mainlog file to
your terminal so you can spot these users right in time and alert me to
suspend their accounts?
>
> Ah right. You're not talking about particular known users with a
problem, you are talking about the general case, or the theoretical
problem then?
>
>> It basically monitors the log file every five minutes and counts how many
>> emails a user has sent. If this goes over a certain threshold (say 20
emails in a five minute interval) that user will end up a on throttling
list meaning any further emails will be delayed.
> ...
>
> Try searching the archives for "rate limiting" or similar phrases, as
this has been discussed before. (I should do the same, since I have
been pondering a similar question recently).
>
> I'm guessing that spamguard processes the logs of these other MTAs and
keeps a track of sending IPs over time and other data. It shouldn't be
too hard to write it to parse exim mainlog as well. Alternatively,
maybe you could pre-process an exim log file to make it look
substantially (enough) like the format of one of the other programs'
logs.
>
>> If he hits the next threshold the user will get temporarily suspended
and the admin alerted via email to take care. Which usually means: Talk
to the user, find out if this is due a virus infection or if the user
really is a bad guy.
>
> Would the user admit to being a bad guy? Also, educate your users not
to save their password in their mail client, type it in when it starts
up. That will probably alleviate some of the problem.
>
>> The rationale is: A spammer will have a hard time sending more than a
couple of dozends of mails before we will automatically be stopped, and
this without any human intervention.
>>
>> On the other hand, hardly any "normal" user will have to send more then 20
>> mails every five minutes, will he? For mailing lists and special users
there is a whitelist of priviledged accounts which do not fall under
this
>> limits.
>
> What happens when one of those privileged accounts is the one being
compromised/become a bad guy? I can well imagine that more people than
you might imagine like to send a message to a whole bunch of folks.
>
> As the esteemed Alan Flavell will point out, dealing with spammer
tactics is an arms race. Whatever arbitrary limit gets recommended as a
threshold, the spammers will probably adjust to it in time. Given the
numbers of computers a trojan or worm working under a particular
spamgang's direction can compromise, it actually doesn't need very many
emails over a given amount of time from any particular machine to send a
lot of mail as a whole. The slower they do it, and to fewer recipients,
for each machine, the less likely it is you'll spot them. Meanwhile,
adjusting thresholds to try to catch them means inconveniencing more
people as you approach the sorts of numbers and frequencies that typical
email users use.
>
> Not that that means you shouldn't try, though.
>
> You are, of course, virus-checking mail these machines are sending to at
least limit further propagation of nasties by that method?
>
> Forgive me, this is my cantankerous day for the week.
>
> Jethro.
>
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> Jethro R Binks
> Computing Officer, IT Services
> University Of Strathclyde, Glasgow, UK
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users ##
Exim details at
http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>
