Autor: Cyborg Datum: To: exim-users Betreff: Re: [exim] New compromise...?
Am 25.09.19 um 11:21 schrieb Heiko Schlittermann via Exim-users: >
> In MAIL ACL (or later) you can block messages from authenticated users
> if authenticated ID does not match the sender address, or you can
> ratelimit on the authenticated ID
>
ehm.. we are talking about a hacked mail account, not legimit users
sending too much mail.
The main goal needs to stop those attackers from abusing the system at all.
So, besides strict "from:" checks, i suggest to implement a database
check for last sending ips.
If you find too much entries in that database, you can reject those
mails and execute a script to disable the account.
@Mark & Heiko:
Thanks for the problem, I had a brilliant idea how to improve my exim
setup :D