On Tue, May 27, 2014 at 07:03:23PM +0100, Paul Warren wrote:
> Does anyone have any suggestions for detecting and blocking, or at least
> limiting the impact of, such attacks?
On the Postfix-users list the answer would be rate-limiting all
users (even the not yet compromised accounts) so that once an
account is compromised the damage is limited and have time to
disable the account once the appropriate alerts are raised.
Since the problem is not especially MTA-specific, I would look for
a suitable rate limiting capability in Exim that restricts messages
per unit time for a given SASL login.
--
Viktor.