> After receiving a phishing e-mail where the recipient gave away the
> address and password and that resulted in a huge number of e-mails
> coming in and going out. I was wondering whether a rate limit could
> have reduced the damage?
It's extremely likely that a ratelimit on message submission would
limit the damage by limiting how much email the spammer could send out
through you before you detected and cut them off.
> And if that is the case what is the most simple rate limit I should
> apply?
We ratelimit by source in two ways. Our webmail machine has a total
ratelimit (which applies across all senders), and then each single
sender address has a ratelimit (regardless of whether they're using
webmail or direct submission).
You'll have to establish specific ratelimit numbers based on local
conditions. The easy way to do this is establish preliminary ratelimits
that simply delay the submission instead of refusing it, while logging
that they've been triggered; you can then watch your logs to see if any
regular users are running into the limits and either exempt them or
raise the limits.
Eg, in our RCPT ACL:
warn
hosts = WEBMAILIP
domains = !+local_domains
# In Exim 4.77 or later, this should be 'per_addr' instead of
# 'per_rcpt'.
# This ratelimits to 50 recipients every 10 minutes.
ratelimit = 50 / 10m / per_rcpt
delay = 10s
log_message = WEBMAIL RATE LIMIT HIT: $sender_rate / $sender_rate_period max $sender_rate_limit / from $sender_address to $local_part@$domain
Note that, in general, my view is that it's better to use smaller
periods for ratelimits because this reduces the burst rate. '100 / 20m
/ per_rcpt' is the same long term limit as the ratelimit above, but it
would allow a spammer to send to 100 recipients instead of 50 before
triggering this.
(Thus maybe we should be using '25 / 5m' instead of '50 / 10m'.)
- cks
