We use ratelimit on outbound to protect against compromised accounts sending spam but we don't check inbound although obviously you could adapt this.
This is used in conjunction with control = freeze
So something like this for outbound sending. For recipient you will have to alter the ratelimit clause to use an appropriate key.
warn
log_message = Ratelimit - sender $sender_address rate $sender_rate / $sender_rate_period
message = Sorry, you have exceeded your message sending limit. Try again later
ratelimit = 1000 / 1h / strict / per_rcpt / $sender_address
control = freeze
That freezes the messages on the system.
Alerts on this are linked into our general network monitoring system and exim stats but basically it runs
exipick -bpc -z '$sender_address' (which gives you frozen messages that have non null sender) and alerts if that is nonzero.
--
-------------------------------------------------------------------------------------
Jonathan Haynes
Senior Network Specialist
IT Department Tel: 01234 754205
Bld 63, e-mail: J.Haynes@???
Cranfield University,
Cranfield,
Beds, MK43 0AL
> -----Original Message-----
> From: Exim-users [mailto:exim-users-
> bounces+j.haynes=cranfield.ac.uk@???] On Behalf Of Sujit Acharyya-
> choudhury
> Sent: 03 August 2016 11:33
> To: exim-users@???
> Subject: [exim] max messages per recipients
>
> How can I generate an alert if user(recipient) gets more than the usual
> message say 1000/hour instead of 100/day, thereby telling us something is
> wrong with the account - possibly compromised or DDOS attack. We had an
> instant like this few times (to well-known academics) and we would like to
> stop this kind of problem as soon as possible, before the mailbox is full.
>
>
>
> We are Exim 4.81
>
>
>
>
>
> Regards
>
>
>
> Sujit
>
>
>
> Sujit Choudhury | IT Services
>
>
>
>
