Re: [exim] detecting overly frequent smtp from real user

Top Page
Delete this message
Reply to this message
Author: Richard Jones
Date:  
To: exim-users
Subject: Re: [exim] detecting overly frequent smtp from real user
On Aug 06, Randy Bush via Exim-users wrote
> had a legit user user with weak password. someone cracked it and used
> it to drive a lot of spam by smtping in with plain auth.
>
> anyone have scripting to raise alerts if there is inbound smtp from a
> legit user above some threshold?
>
> i will also likely remove all user passwords from /etc/passwd (as shell
> access is ssh key only anyway) and put passwords for legit smtpers into
> `server_condition` in `authenticators`
>
> randy


Hi Randy,

I did some work for Oxford University ages ago, and they used SEC to
parse the logs, count up failed SMTP transactions for users/IP addresses
and block once it exceeded a threshold.

SEC was a bit messy, I would probably look at using Fail2Ban with a
custom action script to do that now.

Thanks,

Richard Jones

--
junix.systems/privacy