Re: [exim] detecting overly frequent smtp from real user

Góra strony
Delete this message
Reply to this message
Autor: Randy Bush
Data:  
Dla: Richard Jones
CC: exim-users
Temat: Re: [exim] detecting overly frequent smtp from real user
hi richard

> I did some work for Oxford University ages ago, and they used SEC to
> parse the logs, count up failed SMTP transactions for users/IP addresses
> and block once it exceeded a threshold.
>
> SEC was a bit messy, I would probably look at using Fail2Ban with a
> custom action script to do that now.


i suspecty i was unclear.

a legit user, U, has an account with password P. password ssh is
disabled, of course. but smtp relay is not. so the spammer S uses
U's password P to relay mail through that server.

so i am looking to detect excessive, from some value of excessive,
use of smtp with a legit password.

for the moment, i no longer use /etc/master.password to authenticate,
and add users one at a time when they whine to a smtp relay passord
file.

randy