I am using rate limit for the sender, and it alerts me. However, the
problem as I mentioned is the recipients. I could not find any easy way of
alerting me.
Currently, I run eximstats every 30 mins, and it picks up the problem - but
it is manual. However, I wonder if there is an easier way to solve the
problem.
Top 50 email destinations by message count
------------------------------------------
Messages Addresses Bytes Average Email destination
221485 221486 1426MB 1903 abc1234
250 250 16MB 66KB def5678
231 233 397KB 1759 qwertf
This shows that the account of abc1234 came under heavy attack.
Sujit Acharyya-choudhury
-----Original Message-----
From: Matthew Newton [
mailto:mcn4@leicester.ac.uk]
Sent: 03 August 2016 13:45
To: Haynes, Jonathan
Cc: Sujit Acharyya-choudhury; exim-users@???
Subject: Re: [exim] max messages per recipients
On Wed, Aug 03, 2016 at 11:52:16AM +0000, Haynes, Jonathan wrote:
> We use ratelimit on outbound to protect against compromised
> accounts sending spam but we don't check inbound although
> obviously you could adapt this.
>
> This is used in conjunction with control = freeze
Ditto, though rather than freezing message on the separate
mailhubs (which is tedious to manage after a while) we just set an
ACL variable. This triggers a router to send them to a single
other host where the freeze happens. A copy of the mail gets
dropped into a mailbox for easy checking and release or delete (by
moving to other mailboxes, which a simple script checks and then
processes the exim queue).
The ACL variable is also set by custom ClamAV signatures,
anti-phishing-email-reply addresses, other rate-limit type logic
(built with exim ACLs), etc.
But ratelimit ACL rules are definitely the place to start, and can
be very effective even on their own.
Matthew
--
Matthew Newton, Ph.D. <mcn4@???>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@???>