Re: [exim] Sender rate limiting based on recipient address?

Etusivu
Poista viesti
Vastaa
Lähettäjä: Patrick von der Hagen
Päiväys:  
Vastaanottaja: exim-users@exim.org
Aihe: Re: [exim] Sender rate limiting based on recipient address?
On 20.10.2015 09:51, Osborne, Paul (paul.osborne@???) wrote:
> Hi Patrick,

Hi Paul,

> Not quite and in some ways I wish it were like you suggested.
>
> World -> uni (mxin/spam|av/mxout) -> o365 -> uni (mxin/spam|av/mxout) -> google

that's not bad and similar to my setup here. At least you got more
control than I expected. ;-)

>
> As I said originally we treat O365 simply as a mail store as if it were an on site Exchange service - except obviously it is in the cloud. This allows us to ensure that we apply the same policies to outbound email as we do to inbound (including av and spam checking) - this is considered as "reputation management". Letting O365 send straight outbound - means that we have little control of what it is actually up to particularly if an account has been nobbled and we want to stop a user sending mail outbound rather quickly.
>
> Admittedly it is a long way round to get anywhere and having lots of MX hosts makes things look a whole lot more complicated than they are as the MXs have very specific jobs to do - so if/when mail gets backed up I usually have a good idea of why based on where any queue is.
>
> So when google generates the MDF it goes to mxout (as part of the SMTP transaction) - which then sends it round to mxin and so back to the beginning of the pipeline. It is all made worse by our addresses in O365 actually being something like: paul27@??? - so by the time the address has been rewritten any sense of the original inbound mail and any MDF due to the forwarding issue is a right pain to correlate.

Our solution here is do trigger ratelimiting by bounces. It is meant to
detect users where the account is abused, but should work in your
scenario as well.

First, I count all messages generated locally. The acl is triggered by
cron and bounces and I can safely ignore the cron case in my setup.

acl_not_smtp = acl_check_local

acl_check_local:
   warn ratelimit = 100 / 50m / per_rcpt / strict / bounce_$recipients
        log_message = bounce rate exceeded: $recipients



Now I got a ratelimit with key "bounce_sender@???", which I can use
when receiving mail like

defer message = $sender_address causing lots of bounces $sender_rate
        sender_domains = kit.edu
            ratelimit = 100 / 50m / per_rcpt / readonly /
bounce_$sender_address


"readonly" is important, since I only want to check the ratelimit, not
increase the count.

A compromised account sending SPAM via my servers is detected (and
blocked) pretty quickly. Adjusting the limits you should easily be able
to identify users with a broken forward as well.

And you should be able to argue, why this kind of check doesn't really
interfere with the usual O365 ratelimiting. ;-)


>
>
> Cheers
>
> Paul Osborne
> Senior Systems Engineer
> Canterbury Christ Church University
> Tel: 01227 782751
>
> ________________________________________
> From: Exim-users <exim-users-bounces+paul.osborne=canterbury.ac.uk@???> on behalf of Patrick von der Hagen <patrick.hagen@???>
> Sent: 19 October 2015 11:03
> To: exim-users@???
> Subject: Re: [exim] Sender rate limiting based on recipient address?
>
> Hi Paul,
>
> I got some issues understanding the mail flow in your situation. Just to
> make sure:
>
> world -> university -> o365 -> google
>
> If the google-account was deleted/disabled, why would google generate an
> MDF? The mail should be rejected by google, so not "leaving" o365? And I
> would expect o365 to have procedures in place to handle it? How are your
> servers involved at all?
>
> On 16.10.2015 16:50, Osborne, Paul (paul.osborne@???) wrote:
>> Hi,
>>
>> I have had a slightly odd situation where a member of the university
>> (best leave it at that) has decided that they do not like our O365
>> offering (which we treat effectively as a mail store) and decided
>> that they wanted to forward their email to Google. This in itself is
>> not a particular issue and worked fine.
>>
>> Then at some point their Google account was deleted (no idea why and
>> don't really care) at which point the forwarder in O365 continued to
>> forward email to Google which generated a MDF that came back with an
>> ensuing game of email ping pong that resulted in us getting black
>> listed for a time.
>>
>> Sadly due to address rewriting going on and new emails being
>> generated for the forwards coming out of O365 (rather than a true
>> message bounce) getting this spotted as a mail loop has proven to be
>> a challenge.
>>
>> We do have sender rate limiting in place - however people higher up
>> the food chain than me have insisted it is set the same as O365 to
>> give parity of user experience. The downside of this is that O365
>> rate limiting is apparently set to: 10,000 recipients per day and 30
>> messages a minute. So pretty much low enough to be useless.
>>
>> https://technet.microsoft.com/en-gb/library/exchange-online-limits.aspx#RecipientLimits
>>
>> At this point I am thinking about implementing rate limiting on the
>> basis of a sender being able to send X number of mails per unique
>> recipient email address per day - to reduce the flow enough so that
>> things start to back up a bit internally and my monitoring can spot
>> when this happens.
>>
>> However looking at the rate limiting config in Exim although I can it
>> seems limit the amount of recipients that a sender can mail to, I
>> cannot see that I can limit the amount of mails that a user can send
>> to individual recipients. It may be the case that I am failing to
>> parse the documentation and for that I apologise, but if anyone has a
>> suggestion on how to do this I would appreciate it.
>>
>>
>> Cheers
>>
>> Paul
>>
>>
>
> --
> Karlsruher Institut für Technologie (KIT)
> Steinbuch Centre for Computing (SCC)
>
> Patrick von der Hagen
>
> Zirkel 2, Gebäude 20.21, Raum 004.2
> 76131 Karlsruhe
> Telefon: +49 721 608-46433
> E-Mail: hagen@???
> Web: http://www.scc.kit.edu
>
> KIT - Universität des Landes Baden-Württemberg und
> nationales Forschungszentrum in der Helmholtz-Gemeinschaft
>


--
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)

Patrick von der Hagen

Zirkel 2, Gebäude 20.21, Raum 004.2
76131 Karlsruhe
Telefon: +49 721 608-46433
E-Mail: hagen@???
Web: http://www.scc.kit.edu

KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft