Chris,
What happens, when the machine acts as a gateway and forwards virtually all the mails to other services, i.e. Exchange or external mail? We get mails from various internal machines, and then process them accordingly. We don't have any local address for the machine.
Sujit
-----Original Message-----
From: Chris Siebenmann [
mailto:cks@cs.toronto.edu]
Sent: 01 May 2015 15:53
To: Sujit Acharyya-choudhury
Cc: exim-users@???; cks@???
Subject: Re: [exim] Rate limit
> After receiving a phishing e-mail where the recipient gave away the
> address and password and that resulted in a huge number of e-mails
> coming in and going out. I was wondering whether a rate limit could
> have reduced the damage?
It's extremely likely that a ratelimit on message submission would limit the damage by limiting how much email the spammer could send out through you before you detected and cut them off.
> And if that is the case what is the most simple rate limit I should
> apply?
We ratelimit by source in two ways. Our webmail machine has a total ratelimit (which applies across all senders), and then each single sender address has a ratelimit (regardless of whether they're using webmail or direct submission).
You'll have to establish specific ratelimit numbers based on local conditions. The easy way to do this is establish preliminary ratelimits that simply delay the submission instead of refusing it, while logging that they've been triggered; you can then watch your logs to see if any regular users are running into the limits and either exempt them or raise the limits.
Eg, in our RCPT ACL:
warn
hosts = WEBMAILIP
domains = !+local_domains
# In Exim 4.77 or later, this should be 'per_addr' instead of
# 'per_rcpt'.
# This ratelimits to 50 recipients every 10 minutes.
ratelimit = 50 / 10m / per_rcpt
delay = 10s
log_message = WEBMAIL RATE LIMIT HIT: $sender_rate / $sender_rate_period max $sender_rate_limit / from $sender_address to $local_part@$domain
Note that, in general, my view is that it's better to use smaller periods for ratelimits because this reduces the burst rate. '100 / 20m / per_rcpt' is the same long term limit as the ratelimit above, but it would allow a spammer to send to 100 recipients instead of 50 before triggering this.
(Thus maybe we should be using '25 / 5m' instead of '50 / 10m'.)
- cks