Re: [exim] Delaying messages for 5 minutes?

Top Page
Delete this message
Reply to this message
Author: Marc Perkel
Date:  
To: exim-users
Subject: Re: [exim] Delaying messages for 5 minutes?
Thank you - that's very educational.

But it looks like 1/2 the solution unless I'm missing something. How do
the messages get unfrozen?

What I want to do is freeze the messages if the inbound rate is high
because I don't know if they are good or not. Then after 5 minutes when
I know they are good I want to release them. Or if they are bad I want
to discard them. And I would have to unfreeze them by the sender because
I might be dealing with more than one account that was hacked.

On 4/10/2011 4:26 AM, Lena@??? wrote:
>> From: Marc Perkel
>> I've been working on outbound filtering and trying to come up with a new
>> set of tricks. Outbound filtering is very different than inbound.
>>
>> Here's the situation. An ISP has thousands of email users and some have
>> used week passwords or otherwise been suckered into giving up the
>> password. The spammer get access and starts sending spam at the rate of
>> thousands per minute.
>>
>> I can detect the increase in the speed of sending rather quickly but it
>> might take say - 5 minutes - to determine if it's a spammer of someone
>> with a big email list sending legitimate email - and get that
>> information to my servers. During the 5 minutes the spammer would be
>> able to send thousands of spams before being shut down.
> Another solution is based on the fact that many or most of email addresses
> the spammer sends to don't exist. The idea was posted to this list.
> My implementation:
>
> LIM = 100
> PERIOD = 1h
> WARNTO = abuse@???
> EXIMBINARY = /usr/local/sbin/exim -f root
> SHELL = /bin/sh
> untrusted_set_sender = *
> local_from_check = false
> ...
> begin acl
> acl_check_rcpt:
> ...
>    accept hosts = !@[] : +relay_from_hosts
>          set acl_m_user = $sender_host_address
>                           # or an userid from RADIUS
>          condition = ${if exists{$spool_directory/blocked_relay_users}}
>          condition = ${lookup{$acl_m_user}lsearch\
>                      {$spool_directory/blocked_relay_users}{1}{0}}
>          control = freeze/no_tell
>          add_header = X-Relayed-From: $acl_m_user

>
>    accept hosts = !@[] : +relay_from_hosts
>          !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
>          ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
>          continue = ${run{SHELL -c "echo $acl_m_user \
>             >>$spool_directory/blocked_relay_users; \
>             \N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
>             because has sent mail to LIM invalid recipients during PERIOD.; \
>             \N}\N | EXIMBINARY WARNTO"}}
>          control = freeze/no_tell
>          add_header = X-Relayed-From: $acl_m_user

>
>    accept  hosts         = +relay_from_hosts
>            control       = submission/domain=

>
>    accept authenticated = *
>          set acl_m_user = $authenticated_id
> # in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
>          condition = ${if exists{$spool_directory/blocked_authenticated_users}}
>          condition = ${lookup{$acl_m_user}lsearch\
>                      {$spool_directory/blocked_authenticated_users}{1}{0}}
>          control = freeze/no_tell
>          add_header = X-Authenticated-As: $acl_m_user

>
>    accept authenticated = *
>          !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
>          ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
>          continue = ${run{SHELL -c "echo $acl_m_user \
>             >>$spool_directory/blocked_authenticated_users; \
>             \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
>             has sent mail to LIM invalid recipients during PERIOD.; \
>             \N}\N | EXIMBINARY WARNTO"}}
>          control = freeze/no_tell
>          add_header = X-Authenticated-As: $acl_m_user

>
>    accept authenticated = *
>          control = submission/domain=

>
>