Author: Richard Jones Date: To: exim-users Subject: Re: [exim] detecting overly frequent smtp from real user
On Aug 06, Randy Bush via Exim-users wrote > had a legit user user with weak password. someone cracked it and used
> it to drive a lot of spam by smtping in with plain auth.
>
> anyone have scripting to raise alerts if there is inbound smtp from a
> legit user above some threshold?
>
> i will also likely remove all user passwords from /etc/passwd (as shell
> access is ssh key only anyway) and put passwords for legit smtpers into
> `server_condition` in `authenticators`
>
> randy
Hi Randy,
I did some work for Oxford University ages ago, and they used SEC to
parse the logs, count up failed SMTP transactions for users/IP addresses
and block once it exceeded a threshold.
SEC was a bit messy, I would probably look at using Fail2Ban with a
custom action script to do that now.