On Sun, 2011-04-10 at 07:18 -0700, Marc Perkel wrote: > But it looks like 1/2 the solution unless I'm missing something. How do
> the messages get unfrozen?
We do something similar on outgoing messages to catch compromised email
accounts:
1. Track rates of $sender_address using Exim's built-in ratelimit code
at the RCPT stage.
2. When a threshold is reached, use "control = freeze" on the messages
from $sender_address.
3. Notify the admins that $sender_address needs looking at.
We then manually inspect the message flow, starting with recipient
addresses, then subjects, to determine whether the flow is valid.
If it is, we use "exim -Mt" on all affected messages from
$sender_address; if it isn't, we investigate further to see if the
account is being abused. Further action following that part is out of
Exim's scope.
It's not a good idea to automate the check stage, but the unfreezing bit
could be done via a cron job which reads from a database table rather
than from the shell.