Author: Phil Pennock Date: To: exim-users Subject: Re: [exim] Regarding spaming from the server
On 2013-06-29 at 09:45 -0700, Todd Lyons wrote: > Their outlook is still open on their computer and someone comes by to
> check something in the email. Outlook doesn't seem to be working
> right so they hit the Send/Receive button multiple times. On the exim
> server, the limit for bad user/pass combination gets hit and the ip
> gets added to the blacklist. Now the whole office is blocked from
> sending email.
>
> I'd like to ponder if there is a way to detect that the same incorrect
> password is being sent over and over (indicating a misconfigured
> device) as opposed to random passwords (indicating brute forcing). To
Simpler solution: never implement a blacklist without also implementing
a whitelist.
Cron-job scans logs for successful authentications and adds the source
IPs to a graylist. After a few days of mostly success, IP moves to
whitelist.
Thereafter, one bad actor can't ruin things for everyone else.
Bonus points for auto-generating a "you would have been blacklisted by
anomalous activity from IP X" emails.