Re: [exim] detecting overly frequent smtp from real user

Pàgina inicial
Delete this message
Reply to this message
Autor: Graeme Fowler
Data:  
A: Exim-users
Assumpte: Re: [exim] detecting overly frequent smtp from real user
On 9 Aug 2019, at 00:31, Randy Bush via Exim-users <exim-users@???> wrote:
> a legit user, U, has an account with password P. password ssh is
> disabled, of course. but smtp relay is not. so the spammer S uses
> U's password P to relay mail through that server.
>
> so i am looking to detect excessive, from some value of excessive,
> use of smtp with a legit password.


Basic ACL for this (in the RCPT ACL):

warn authenticated = *
         ratelimit = 0 / 1d / per_rcpt / $authenticated_sender


warn condition = ${if >{100}{$sender_rate}}
         control = freeze


...in short: if authenticated, update and record the per-recipient count for the authenticated user. If it's >100, freeze the message.

If you want to use the 'freeze_tell' global option, you can get a warning that a message has been frozen *but* it'll do it for every RCPT TO over the threshold so can be noisy. You might want to set another variable in the second part, and use a '${run' condition to notify yourself later. Or parse the logs, or watch the mail queue, or something requally monitoring-shaped.

Graeme