We use *ratelimit* to detect anomalous situations then log a message to
mainlog.
A separate script runs to continuously monitor the contents of mainlog then
triggers a notification when it spots one of the log messages of interest.
If you do this make sure the script you use takes account of logfile
rotation, otherwise it'll carry on monitoring the old logfile rather than
the new one. For example if you're writing in Perl you can use
the File::Tail from CPAN to do a persistent "tail" on the logfile that
automatically handles it when the logfile is rotated.
Cheers,
Mike B-)
On 3 August 2016 at 13:59, Sujit Acharyya-choudhury <s.choudhury@???>
wrote:
> I am using rate limit for the sender, and it alerts me. However, the
> problem as I mentioned is the recipients. I could not find any easy way of
> alerting me.
>
> Currently, I run eximstats every 30 mins, and it picks up the problem -
> but
> it is manual. However, I wonder if there is an easier way to solve the
> problem.
>
> Top 50 email destinations by message count
> ------------------------------------------
> Messages Addresses Bytes Average Email destination
> 221485 221486 1426MB 1903 abc1234
> 250 250 16MB 66KB def5678
> 231 233 397KB 1759 qwertf
>
> This shows that the account of abc1234 came under heavy attack.
>
> Sujit Acharyya-choudhury
>
>
>
> -----Original Message-----
> From: Matthew Newton [mailto:mcn4@leicester.ac.uk]
> Sent: 03 August 2016 13:45
> To: Haynes, Jonathan
> Cc: Sujit Acharyya-choudhury; exim-users@???
> Subject: Re: [exim] max messages per recipients
>
> On Wed, Aug 03, 2016 at 11:52:16AM +0000, Haynes, Jonathan wrote:
> > We use ratelimit on outbound to protect against compromised
> > accounts sending spam but we don't check inbound although
> > obviously you could adapt this.
> >
> > This is used in conjunction with control = freeze
>
> Ditto, though rather than freezing message on the separate
> mailhubs (which is tedious to manage after a while) we just set an
> ACL variable. This triggers a router to send them to a single
> other host where the freeze happens. A copy of the mail gets
> dropped into a mailbox for easy checking and release or delete (by
> moving to other mailboxes, which a simple script checks and then
> processes the exim queue).
>
> The ACL variable is also set by custom ClamAV signatures,
> anti-phishing-email-reply addresses, other rate-limit type logic
> (built with exim ACLs), etc.
>
> But ratelimit ACL rules are definitely the place to start, and can
> be very effective even on their own.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4@???>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp@???>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811
Web:
www.york.ac.uk/it-services
Disclaimer:
www.york.ac.uk/docs/disclaimer/email.htm