This doesn't directly answer your question but there is a perl script ratelimit.pl in the util directory which will calculate rate limits from exim's log files. I remember using this when we first set up ratelimits.
To quote from http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html
There is a script in util/ratelimit.pl which extracts sending rates from log files, to assist with choosing appropriate settings for m and p when deploying the ratelimit ACL condition. The script prints usage instructions when it is run with no arguments.
To answer your previous question about using ratelimits, yes we do use them on the outbound mail server but ours are used in conjunction with control=freeze. Our experience has been that any setting useful to trap compromised accounts will also trap 'legitimate' usage (and in fact we catch more legitimate usage than compromised). There is a process that notifies the postmasters of frozen messages and one of us then reviews the message(s) and releases if appropriate.
We do have a list of known bulk sender addresses which are exempted from ratelimiting and we also use a different outbound server without ratelimiting for bulk mail sent by marketing departments via mailing software.
This approach works OK for us but we are small enough that the amount of manual intervention is not an issue - it may not scale. If this would be an issue it should be possible to be more creative with the conditions. Exchange (which you seem to be using) now adds an X-Originating-IP header and compromised accounts are likely to be used via webmail from off site so you should be able to craft something that only ratelimits where X-Originating-IP is not local. You will also need to ratelimit access via authenticated SMTP if you permit that from off-site.
--
-------------------------------------------------------------------------------------
Jonathan Haynes
Senior Network Specialist
IT Department Tel: 01234 754205
Bld 63, e-mail: J.Haynes@???
Cranfield University,
Cranfield,
Beds, MK43 0AL
> -----Original Message-----
> From: Exim-users [mailto:exim-users-
> bounces+j.haynes=cranfield.ac.uk@???] On Behalf Of Sujit Acharyya-
> choudhury
> Sent: 05 May 2015 14:38
> To: exim-users@???
> Subject: Re: [exim] Rate limit
>
> My brain has frozen. Just to get an idea of the mail delivery rate, this is the
> ACL, I have put in, but I am not getting anything logged. Any idea where I am
> going wrong?
> ##########################################################
> ############
> # ACL CONFIGURATION #
> # Specifies access control lists for incoming SMTP mail #
> ##########################################################
> ############
>
> begin acl
>
>
> acl_check_rcpt:
>
> # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
> # testing for an empty sending host field.
>
> accept hosts = :
>
>
>
> deny message = Restricted characters in address
> domains = +local_domains
> local_parts = ^[.] : ^.*[@%!/|]
>
> deny message = Restricted characters in address
> domains = !+local_domains
> local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
>
>
> # Accept mail to postmaster in any local domain, regardless of the source,
> # and without verifying the sender.
>
> accept local_parts = postmaster
> domains = +local_domains
>
>
>
>
> accept hosts = +relay_from_hosts
> control = submission
>
>
> accept authenticated = *
> control = submission
>
>
> deny message = rejected because $sender_host_address is in a black list
> at $dnslist_domain\n$dnslist_text
> dnslists = sbl.dnsbl.ja.net:xbl.dnsbl.ja.net
>
>
> accept
>
>
> acl_check_connect:
> #Log all senders' rate
> warn ratelimit = 0 / 5m / strict
> log_message = SENDER RATE: $sender_rate/$sender_rate_period
>
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
