Hi Nick
On 10 Feb 2016, at 17:45, Nick Rickard <nick@???> wrote:
<snip>
> this therefore kicks in fairly rapidly and I don't have any other mail (mailing lists, twitter notifications, etc) that approaches this rate so I don't foresee false positives being an issue.
If you can afford to live with that, that’s a compromise that might turn round and bite in future - but that’s not cogent to the question below!
> The second is if the spammer uses a multitude of 'from' email addresses but a common subject such as "Invoice is due". So I'm after a similar ratelimit stanza that will work on the subject. I *think* this can't go in the acl_check_rcpt as the header has not been downloaded at this time(?) so needs to be in acl_check data [ = acl_smtp_data]? Depending when it triggers it needs to be agnostic to a SpamAssassin header rewrite so that "(SPAM 3.5)Invoice" 'matches' "(SPAM 3.6)Invoice".
You can make ratelimit use *any* key you like as the lookup - so it can be (as you’ve done already) the envelope sender address, or the sender’s IP address, or a hostname, or… well, you get the idea.
In the DATA ACL, you’ve got access to all the message headers - and if you do the ratelimit stuff before the callout to SpamAssassin, they’re unmodified (see footnote 1). So you can set an ACL variable for later use from any header. As an example:
set acl_m_origsubject1 = $rh_Subject
...
warn ratelimit = 5 / 15m / per_rcpt / strict / $acl_m_origsubject1
(obviously that could be deny, and have other conditions on it)
However: you likely want to ensure that the Subject: line exists, or you’ll have an empty key and the behaviour there will not be what you want. Also, you run a big risk here with genuine mail in your sample window having the same subject - ever tried to reset an Apple ID password and make it work first time?
You’re probably better off cooking up a ratelimit key from the subject, parts of the date/time (see $tod_log) and other attributes of the message which you see as unique. Do they, for example, share a Message-ID header (direct-to-MX malware often does, if one exists at all).
Does that give you a bit of direction?
Graeme
Footnotes:
1.
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html - modifications in other ACLs are exposed in the DATA ACL