Re: [exim] max messages per recipients

Pàgina inicial
Delete this message
Reply to this message
Autor: Mike Brudenell
Data:  
A: Sujit Acharyya-choudhury
CC: exim-users@exim.org, Haynes, Jonathan, Matthew Newton
Assumpte: Re: [exim] max messages per recipients
We use *ratelimit* to detect anomalous situations then log a message to
mainlog.

A separate script runs to continuously monitor the contents of mainlog then
triggers a notification when it spots one of the log messages of interest.

If you do this make sure the script you use takes account of logfile
rotation, otherwise it'll carry on monitoring the old logfile rather than
the new one. For example if you're writing in Perl you can use
the File::Tail from CPAN to do a persistent "tail" on the logfile that
automatically handles it when the logfile is rotated.

Cheers,
Mike B-)

On 3 August 2016 at 13:59, Sujit Acharyya-choudhury <s.choudhury@???>
wrote:

> I am using rate limit for the sender, and it alerts me. However, the
> problem as I mentioned is the recipients. I could not find any easy way of
> alerting me.
>
> Currently, I run eximstats every 30 mins, and it picks up the problem -
> but
> it is manual. However, I wonder if there is an easier way to solve the
> problem.
>
> Top 50 email destinations by message count
> ------------------------------------------
>   Messages  Addresses      Bytes    Average   Email destination
>     221485     221486     1426MB       1903   abc1234
>        250        250       16MB       66KB   def5678
>        231        233      397KB       1759   qwertf

>
> This shows that the account of abc1234 came under heavy attack.
>
> Sujit Acharyya-choudhury
>
>
>
> -----Original Message-----
> From: Matthew Newton [mailto:mcn4@leicester.ac.uk]
> Sent: 03 August 2016 13:45
> To: Haynes, Jonathan
> Cc: Sujit Acharyya-choudhury; exim-users@???
> Subject: Re: [exim] max messages per recipients
>
> On Wed, Aug 03, 2016 at 11:52:16AM +0000, Haynes, Jonathan wrote:
> > We use ratelimit on outbound to protect against compromised
> > accounts sending spam but we don't check inbound although
> > obviously you could adapt this.
> >
> > This is used in conjunction with control = freeze
>
> Ditto, though rather than freezing message on the separate
> mailhubs (which is tedious to manage after a while) we just set an
> ACL variable. This triggers a router to send them to a single
> other host where the freeze happens. A copy of the mail gets
> dropped into a mailbox for easy checking and release or delete (by
> moving to other mailboxes, which a simple script checks and then
> processes the exim queue).
>
> The ACL variable is also set by custom ClamAV signatures,
> anti-phishing-email-reply addresses, other rate-limit type logic
> (built with exim ACLs), etc.
>
> But ratelimit ACL rules are definitely the place to start, and can
> be very effective even on their own.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4@???>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp@???>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>




--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm