Prior to moving our main mail service to G Suite, we used Exim's *ratelimit* to
keep an eye on the rate of messages being sent by people who weren't on our
campus IP address range. Because they'd had to authenticate to Exim I used
the authenticating username as the key for the rate limiting.
When the rate started getting high over a suitable period it would start
freezing messages and logging warning lines that a separate process
monitoring the mainlog would then bleat to us about.
I can't remember off the top of my head what the rate thresholds were, but
it was something like 500 messages per 30 minutes. Our feeling was that
someone working away from site was unlikely to be sending that number of
messages that quickly unless they were a spammer. On-campus source IP
addresses were exempt as these might be, for example, database systems
sending out bulk emails to staff or students.
The combination of the freezing along with the mainlog monitoring process
(which blasted an alert email to a set of sysadmins) proved very helpful in
spotting compromised accounts. And in the event of a false positive the
frozen messages could then be released.
Cheers,
Mike B-)
On Mon, 29 Jun 2020 at 13:49, Mark Elkins via Exim-users <
exim-users@???> wrote:
> Hello group,
>
> I'm looking for an example for how to cure this problem.
>
> Every now and then, a user will give his password to a bad actor (Social
> Engineering). That bad person then goes to my webmail interface and
> sends out a lot of SPAM e-mail - which goes to my port 587 (only) Exim
> (version 4.94)..
>
> The mail server then gets black-listed :-(
>
> Of course - then everyone suffers.
>
> All my users details are in a MySQL Database. Ideally - I could change
> their status to "disabled" - but still need to handle the SPAM being
> sent out from their account details. Perhaps I'd lookup the
> "X-Originating-IP" and if there - not do a delivery?
>
> What are the "Best Practises" with handling this?
>
> An example of a "bad" email (the H file) might look like... (as
> untouched as possible)
>
> 1jX2Tv-00A32n-Ka-H
> mail 8 12
> <mothapom@???>
> 1588942319 2
> -received_time_usec .638108
> -helo_name webmail.vweb.co.za
> -host_address 2001:42a0::5.36176
> -interface_address 2001:42a0::71.587
> -received_protocol esmtps
> -body_linecount 48
> -max_received_linelength 74
> -frozen 1589015756
> -tls_cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
> -tls_sni relay.vweb.co.za
> -tls_ourcert -----BEGIN CERTIFICATE-----\nMIIGaTCCBVGgAwIBAgISAw6 [Lots
> deleted] 4isptageh9BnUwAwJw==\n-----END CERTIFICATE-----\n
> YY wryer@???
> YY wrongdoer@???
> YY wristwatch@???
> [20+ lines deleted]
> NN yards@???
> NN yawn@???
> 50
> wrinkle@???
> wrinkling@???
> [20+ lines deleted]
> swarthy@???
> swathes@???
>
> 255P Received: from [2001:42a0::5] (port=36176 helo=webmail.vweb.co.za)
> by relay.vweb.co.za with esmtps
> (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
> (Exim 4.92.2)
> (envelope-from <mothapom@???>)
> id 1jX2Tv-00A32n-Ka; Fri, 08 May 2020 14:51:59 +0200
> 018 Mime-Version: 1.0
> 038 Date: Fri, 08 May 2020 12:52:10 +0000
> 087 Content-Type: multipart/alternative;
> boundary="--=_RainLoop_183_170848428.1588942330"
> 026 X-Mailer: RainLoop/1.11.3
> 057F From: "Mrs. Agnes Adams" <mothapom@???>
> 068I Message-ID: <f48e1f3d5cf34a6e7f03fe0d1b6487a8@???>
> 030R Reply-To: jm4065278@???
> 012 Subject: HI
> 034 X-Originating-IP: 197.220.169.156
>
> --
>
> Mark James ELKINS - Posix Systems - (South) Africa
> mje@??? Tel: +27.826010496 <tel:+27826010496>
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
--
*My normal working days are Tuesdays, Wednesdays and Thursdays.*
Systems Administrator working in Teaching & Learning
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811
Web:
www.york.ac.uk/it-services
Disclaimer:
www.york.ac.uk/docs/disclaimer/email.htm
