Re: [exim] detecting overly frequent smtp from real user

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMRichard Jones at <-
MDennis Davis at ->
Delete this message
Reply to this message
Author: Randy Bush
Date:  
To: Richard Jones
CC: exim-users
Subject: Re: [exim] detecting overly frequent smtp from real user
hi richard

> I did some work for Oxford University ages ago, and they used SEC to
> parse the logs, count up failed SMTP transactions for users/IP addresses
> and block once it exceeded a threshold.
>
> SEC was a bit messy, I would probably look at using Fail2Ban with a
> custom action script to do that now.

i suspecty i was unclear.

a legit user, U, has an account with password P. password ssh is
disabled, of course. but smtp relay is not. so the spammer S uses
U's password P to relay mail through that server.

so i am looking to detect excessive, from some value of excessive,
use of smtp with a legit password.

for the moment, i no longer use /etc/master.password to authenticate,
and add users one at a time when they whine to a smtp relay passord
file.

randy

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] detecting overly frequent smtp from real user[exim] Redirect email with autoreply to sender->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)