On 9 Aug 2019, at 00:31, Randy Bush via Exim-users <exim-users@???> wrote:
> a legit user, U, has an account with password P. password ssh is
> disabled, of course. but smtp relay is not. so the spammer S uses
> U's password P to relay mail through that server.
>
> so i am looking to detect excessive, from some value of excessive,
> use of smtp with a legit password.
Basic ACL for this (in the RCPT ACL):
warn authenticated = *
ratelimit = 0 / 1d / per_rcpt / $authenticated_sender
warn condition = ${if >{100}{$sender_rate}}
control = freeze
...in short: if authenticated, update and record the per-recipient count for the authenticated user. If it's >100, freeze the message.
If you want to use the 'freeze_tell' global option, you can get a warning that a message has been frozen *but* it'll do it for every RCPT TO over the threshold so can be noisy. You might want to set another variable in the second part, and use a '${run' condition to notify yourself later. Or parse the logs, or watch the mail queue, or something requally monitoring-shaped.
Graeme