Autor: Randy Bush Data: Dla: Richard Jones CC: exim-users Temat: Re: [exim] detecting overly frequent smtp from real user
hi richard
> I did some work for Oxford University ages ago, and they used SEC to
> parse the logs, count up failed SMTP transactions for users/IP addresses
> and block once it exceeded a threshold.
>
> SEC was a bit messy, I would probably look at using Fail2Ban with a
> custom action script to do that now.
i suspecty i was unclear.
a legit user, U, has an account with password P. password ssh is
disabled, of course. but smtp relay is not. so the spammer S uses
U's password P to relay mail through that server.
so i am looking to detect excessive, from some value of excessive,
use of smtp with a legit password.
for the moment, i no longer use /etc/master.password to authenticate,
and add users one at a time when they whine to a smtp relay passord
file.