Environment: Exim 4.69 on RedHat Enterprise Linux 4
I am trying to set up rate limiting for the exact same reason
Tony Finch described in his paper proposing adding it to Exim:
compromised internal accounts are being used to send out
thousands of spams and I need to slow them down enough to make
it not worth their while. So I added a deny stanza in the
acl_smtp_rcpt ACL with the following ratelimit:
ratelimit = 1000 / 4h / per_rcpt / leaky / $authenticated_id
This seems to do the job, but I am concerned about how it works
when legitimate users send mail to multiple recipients.
The above config increments a sender's rate by one per recipient
whether the mail is actually sent or not. For example, if a
user has already sent mail to 910 recipients and now wants to
send a note to 100 more, the first 90 will be accepted, running
his rate up to 1000 and then the message will be rejected. His
rate is now set at 1000 even though those last 90 were not
actually sent. If he waits a while before trying again, but not
quite long enough for the rate to drop below 900, it will get
run up to 1000 again and his mail will still not be sent. I can
see where this would be a bit frustrating.
What I would like to be able to do is set a ratelimit like the
above, in the smtp_data or better yet, the smtp_predata ACL and
have it check whether the current rate plus the number of recipients
in the current message ($recipients_count) puts you over the limit.
With the leaky option set it should not update the database unless
you are under the limit and presumably the message will be sent.
This sounds similar to what is described in the docs when using the
per_rcpt option in the not_smtp ACL.
I am not able to tell from the docs whether what I have described
would work or not, since there isn't much detail on what effect the
various options have when used in various ACLs. I checked the wiki
and didn't find anything useful on ratelimiting, so I am hoping many
of you will have set up ratelimiting to block outgoing spam and can
tell me the best ways to do it.
I thank you in advance for any help
Russ
--
Russell D. Wilton E Mail: WILTON@???
Info Tech Systems Analyst Voice: (403) 329-2525
University of Lethbridge FAX: (403) 382-7108
4401 University Drive Lethbridge, Alberta, CANADA T1K 3M4
