Author: Marcin Gryszkalis Date: To: exim-users Subject: Re: [exim] Kick user - force disconnect authenticated sessions
On 2013-08-14 12:30, Ian Eiloart wrote: > On 8 Aug 2013, at 15:03, Marcin Gryszkalis <mg@???> wrote:
>
>> Even worse - it looked a bit similar to ssh-dictionary-attack bots:
>> every bot/ip was used to send
>> no more than 1-3 mails.
>
> Interesting. I guess one could limit the number of different IP
> addresses that a sender could use in a given period. I wonder what
> would be a reasonable limit? 3/minute, 10/hour, 25/day? How many
> travellers would get hit by those limits?
Nice idea, for imap it would be high (many users use multiple devices to
read mail - several computers, phones, tablets etc.) but
for smtp the caount should be smaller
- some cheap DSL-s are switching once per 24/12 hrs
- some free gsm providers are switching ip once per hour
I checked one of servers (2 weeks from beginning of august) and the user
with highest number of distinct ips have about 80 entries. Your milage
may vary though, you can check your logs with
grep 'Authenticated:' exim-main-* | perl -nle
'm/\[([^\]]*)\].*Authenticated:\s+(\S+)/; $h->{$2}->{$1} = 1; END { for
my $u (sort { scalar(keys(%{$h->{$a}})) <=> scalar(keys(%{$h->{$b}})) }
%$h) { use Data::Dumper; print "$u\n", Dumper $h->{$u} } }'
expects exim main log lines with
[1.2.3.4] Warning: Authenticated: user@domain
greetings
--
Marcin Gryszkalis, PGP 0x9F183FA3
jabber jid:mg@???, gg:2532994
