lists@??? wrote:
> It appears I have someone exploiting a form on a clients website. The
> problem is the site is massive and they have multiple forms. The email
> also appears to be valid as email is being sent to it. I can get the
> message id numbers but since they are delivered I can't view them because
> nothing is stored in /var/spool/exim/msglog or /var/spool/exim/input.
>
> What I want to do is if mail is being _sent_ to that address I want it
> deferred in some way or even aliased over so I can see what form or forms
> are being exploited.
>
> Anyone know if this is possible?
Can you not just link up the times of the log entries in the mainlog
against your web server logs?
You could freeze the messages in the queue by updating your notsmtp acl
with:
If you want to cause a message to stay in the mail queue rather than
being delivered, you could freeze it with:
accept condition = Whatever your condition is
control = freeze
If the mail is arriving by a cgi calling the executable directly, you
want this in a notsmtp acl. Otherwise it should be in any one of the
other acl's. You could always stick it in both.
You want to look into ratelimit for limiting how many emails your users
can send per hour. This is brilliant for flagging up sites that are
being abused to spam. If you're using Apache, modsecurity has some
brilliant rules for preventing generic attacks for spamming through forms.
Mike
