Re: [exim] max messages per recipients

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Haynes, Jonathan
Date:  
À: 'Sujit Acharyya-choudhury', Matthew Newton
CC: exim-users@exim.org
Sujet: Re: [exim] max messages per recipients
The ratelimit key is user definable and can use exim string expansions

$recipients contains a list of all envelope recipients of a message but seems to only be available in the DATA ACL, rather than RCPT, and, as it can be multivalued, might need some 'magic' to process (although if you are looking to protect against DDOS it may well be good enough to just use it unmodified as the sender will probably be using the same set of recipients/single recipient).

$local_part and $domain are both set in RCPT ACL so could you use something like

ratelimit = 1000 / 1h / strict / per_rcpt / $local_part@$domain ?


If you are using eximstats could you not write a script that runs eximstat, parses the output and emails you if messages > N and run this every 30 mins through cron?






--
-------------------------------------------------------------------------------------
                                    Jonathan Haynes 
                               Senior Network Specialist


IT Department                              Tel: 01234 754205
Bld 63,                                         e-mail: J.Haynes@???
Cranfield University,
Cranfield,
Beds, MK43 0AL


> -----Original Message-----
> From: Sujit Acharyya-choudhury [mailto:s.choudhury@bbk.ac.uk]
> Sent: 03 August 2016 14:00
> To: Matthew Newton; Haynes, Jonathan
> Cc: exim-users@???
> Subject: RE: [exim] max messages per recipients
>
> I am using rate limit for the sender, and it alerts me. However, the
> problem as I mentioned is the recipients. I could not find any easy way of
> alerting me.
>
> Currently, I run eximstats every 30 mins, and it picks up the problem - but
> it is manual. However, I wonder if there is an easier way to solve the
> problem.
>
> Top 50 email destinations by message count
> ------------------------------------------
>   Messages  Addresses      Bytes    Average   Email destination
>     221485     221486     1426MB       1903   abc1234
>        250        250       16MB       66KB   def5678
>        231        233      397KB       1759   qwertf

>
> This shows that the account of abc1234 came under heavy attack.
>
> Sujit Acharyya-choudhury
>
>
>
> -----Original Message-----
> From: Matthew Newton [mailto:mcn4@leicester.ac.uk]
> Sent: 03 August 2016 13:45
> To: Haynes, Jonathan
> Cc: Sujit Acharyya-choudhury; exim-users@???
> Subject: Re: [exim] max messages per recipients
>
> On Wed, Aug 03, 2016 at 11:52:16AM +0000, Haynes, Jonathan wrote:
> > We use ratelimit on outbound to protect against compromised
> > accounts sending spam but we don't check inbound although
> > obviously you could adapt this.
> >
> > This is used in conjunction with control = freeze
>
> Ditto, though rather than freezing message on the separate
> mailhubs (which is tedious to manage after a while) we just set an
> ACL variable. This triggers a router to send them to a single
> other host where the freeze happens. A copy of the mail gets
> dropped into a mailbox for easy checking and release or delete (by
> moving to other mailboxes, which a simple script checks and then
> processes the exim queue).
>
> The ACL variable is also set by custom ClamAV signatures,
> anti-phishing-email-reply addresses, other rate-limit type logic
> (built with exim ACLs), etc.
>
> But ratelimit ACL rules are definitely the place to start, and can
> be very effective even on their own.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4@???>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp@???>