Re: [exim] Delaying messages for 5 minutes?

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Lena
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] Delaying messages for 5 minutes?
> From: Marc Perkel

> I've been working on outbound filtering and trying to come up with a new
> set of tricks. Outbound filtering is very different than inbound.
>
> Here's the situation. An ISP has thousands of email users and some have
> used week passwords or otherwise been suckered into giving up the
> password. The spammer get access and starts sending spam at the rate of
> thousands per minute.
>
> I can detect the increase in the speed of sending rather quickly but it
> might take say - 5 minutes - to determine if it's a spammer of someone
> with a big email list sending legitimate email - and get that
> information to my servers. During the 5 minutes the spammer would be
> able to send thousands of spams before being shut down.


Another solution is based on the fact that many or most of email addresses
the spammer sends to don't exist. The idea was posted to this list.
My implementation:

LIM = 100
PERIOD = 1h
WARNTO = abuse@???
EXIMBINARY = /usr/local/sbin/exim -f root
SHELL = /bin/sh
untrusted_set_sender = *
local_from_check = false
...
begin acl
acl_check_rcpt:
...
  accept hosts = !@[] : +relay_from_hosts
        set acl_m_user = $sender_host_address
                         # or an userid from RADIUS
        condition = ${if exists{$spool_directory/blocked_relay_users}}
        condition = ${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_relay_users}{1}{0}}
        control = freeze/no_tell
        add_header = X-Relayed-From: $acl_m_user


  accept hosts = !@[] : +relay_from_hosts
        !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
        ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_relay_users; \
           \N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
           because has sent mail to LIM invalid recipients during PERIOD.; \
           \N}\N | EXIMBINARY WARNTO"}}
        control = freeze/no_tell
        add_header = X-Relayed-From: $acl_m_user


  accept  hosts         = +relay_from_hosts
          control       = submission/domain=


  accept authenticated = *
        set acl_m_user = $authenticated_id
# in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
        condition = ${if exists{$spool_directory/blocked_authenticated_users}}
        condition = ${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_authenticated_users}{1}{0}}
        control = freeze/no_tell
        add_header = X-Authenticated-As: $acl_m_user


  accept authenticated = *
        !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
        ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_authenticated_users; \
           \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
           has sent mail to LIM invalid recipients during PERIOD.; \
           \N}\N | EXIMBINARY WARNTO"}}
        control = freeze/no_tell
        add_header = X-Authenticated-As: $acl_m_user


  accept authenticated = *
        control = submission/domain=