Re: [exim] Regarding spaming from the server

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-users
Subject: Re: [exim] Regarding spaming from the server
On 2013-06-29 at 09:45 -0700, Todd Lyons wrote:
> Their outlook is still open on their computer and someone comes by to
> check something in the email. Outlook doesn't seem to be working
> right so they hit the Send/Receive button multiple times. On the exim
> server, the limit for bad user/pass combination gets hit and the ip
> gets added to the blacklist. Now the whole office is blocked from
> sending email.
>
> I'd like to ponder if there is a way to detect that the same incorrect
> password is being sent over and over (indicating a misconfigured
> device) as opposed to random passwords (indicating brute forcing). To


Simpler solution: never implement a blacklist without also implementing
a whitelist.

Cron-job scans logs for successful authentications and adds the source
IPs to a graylist. After a few days of mostly success, IP moves to
whitelist.

Thereafter, one bad actor can't ruin things for everyone else.

Bonus points for auto-generating a "you would have been blacklisted by
anomalous activity from IP X" emails.

-Phil