Author: W B Hacker Date: To: exim users Subject: Re: [exim] Notification of ratelimits being exceeded?
Jeremy Harris wrote: > On 2011-09-26 21:00, Caines, Max wrote:
>> Hi
>>
>> We're running rate-limiting based on sender address, which has been
>> very effective in reducing the consequences of compromised accounts.
>> Until now, I've been relying on some code on a server that's archiving
>> Exim logs to recognise the blocking message, and email us once per
>> sender, but it's not very reliable. Really I'd like to get Exim to
>> send a notification when someone crosses the threshold for the first
>> time in, say, a 24-hour period, but I can't see a way to do it. The
>> rate-limiting's via an ACL, and I don't have Perl embedded, and don't
>> really have the memory to do so. Anyone got any ideas?
>
> In the over-limit situation, using a second ratelimit to avoid doing it
> too often, use ${run ....}
> to send your warning mail.
IF you set a flag in an acl_m variable at the point of detection...
(optionally a 'count' or 'time since' value, not just binary..)
AND add an 'unseen' router chained to whatever else is already being
done (temp reject?) that tests said acl_m variable..
THEN that router can perform whatever notification or file-writes it is
told to do.
ELSE not progressing as far as the router, while within the acl, do a
log_message to the panic log instead of main or reject. Ordinarily the
paniclog will be MUCH less verbose - empty, even - hence faster and
easier to parse with your externals, AND more forgiving of being
perodically wiped and started fresh.
ELSEIF using SQL, just INSERT a record to a DB..
We've had 'all of the above' in stable production use for years - just
never with ratelimiting.
