Author: Peter Bowyer Date: To: exim-users CC: dot Subject: Re: [exim] exim allowed someone to slam my mail server for 3 hours
On 28/06/05, Tony Finch <dot@???> wrote: > On Mon, 27 Jun 2005, Peter Bowyer wrote:
> >
> > My next enhancement is to count invalid recipients across connections
> > from a single IP, and DNSBL the connecting IP once it reaches a
> > threshold.
>
> You could use the ratelimit feature in 4.52 to do this.
I've looked at doc/NewStuff in the 4.52 snapshot, there's lots of good
things there, and notably, lots contributed by developers other than
'PH' - which has to be healthy (meant in a constructive way, of
course....). Thanks to all involved.
If I were only dealing with a single server I can see how I could use
the new ratelimit features, but my situation requires monitoring of
client behaviour and application of controls across a group of
geographically-separate servers. We've observed that dictionary spams
are agile across all the MXs for a domain, presumably in an attempt to
avoid tripping ratelimit-style controls, so we need to aggregate
behaviour from a single client across all the MXs.
I'm sure the ratelimit stuff can help do some of the detection work,
though... I'll have a decent look at it.