Thank you - that's very educational.
But it looks like 1/2 the solution unless I'm missing something. How do
the messages get unfrozen?
What I want to do is freeze the messages if the inbound rate is high
because I don't know if they are good or not. Then after 5 minutes when
I know they are good I want to release them. Or if they are bad I want
to discard them. And I would have to unfreeze them by the sender because
I might be dealing with more than one account that was hacked.
On 4/10/2011 4:26 AM, Lena@??? wrote:
>> From: Marc Perkel
>> I've been working on outbound filtering and trying to come up with a new
>> set of tricks. Outbound filtering is very different than inbound.
>>
>> Here's the situation. An ISP has thousands of email users and some have
>> used week passwords or otherwise been suckered into giving up the
>> password. The spammer get access and starts sending spam at the rate of
>> thousands per minute.
>>
>> I can detect the increase in the speed of sending rather quickly but it
>> might take say - 5 minutes - to determine if it's a spammer of someone
>> with a big email list sending legitimate email - and get that
>> information to my servers. During the 5 minutes the spammer would be
>> able to send thousands of spams before being shut down.
> Another solution is based on the fact that many or most of email addresses
> the spammer sends to don't exist. The idea was posted to this list.
> My implementation:
>
> LIM = 100
> PERIOD = 1h
> WARNTO = abuse@???
> EXIMBINARY = /usr/local/sbin/exim -f root
> SHELL = /bin/sh
> untrusted_set_sender = *
> local_from_check = false
> ...
> begin acl
> acl_check_rcpt:
> ...
> accept hosts = !@[] : +relay_from_hosts
> set acl_m_user = $sender_host_address
> # or an userid from RADIUS
> condition = ${if exists{$spool_directory/blocked_relay_users}}
> condition = ${lookup{$acl_m_user}lsearch\
> {$spool_directory/blocked_relay_users}{1}{0}}
> control = freeze/no_tell
> add_header = X-Relayed-From: $acl_m_user
>
> accept hosts = !@[] : +relay_from_hosts
> !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
> ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
> continue = ${run{SHELL -c "echo $acl_m_user \
> >>$spool_directory/blocked_relay_users; \
> \N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
> because has sent mail to LIM invalid recipients during PERIOD.; \
> \N}\N | EXIMBINARY WARNTO"}}
> control = freeze/no_tell
> add_header = X-Relayed-From: $acl_m_user
>
> accept hosts = +relay_from_hosts
> control = submission/domain=
>
> accept authenticated = *
> set acl_m_user = $authenticated_id
> # in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
> condition = ${if exists{$spool_directory/blocked_authenticated_users}}
> condition = ${lookup{$acl_m_user}lsearch\
> {$spool_directory/blocked_authenticated_users}{1}{0}}
> control = freeze/no_tell
> add_header = X-Authenticated-As: $acl_m_user
>
> accept authenticated = *
> !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
> ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
> continue = ${run{SHELL -c "echo $acl_m_user \
> >>$spool_directory/blocked_authenticated_users; \
> \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
> has sent mail to LIM invalid recipients during PERIOD.; \
> \N}\N | EXIMBINARY WARNTO"}}
> control = freeze/no_tell
> add_header = X-Authenticated-As: $acl_m_user
>
> accept authenticated = *
> control = submission/domain=
>
>