Author: Niels Kobschätzki Date: To: exim-users Subject: [exim] Better way to deal with phished users?
Hi,
I have again and again problems with phished users. I want to try a new way to deal with them but I worry that I mess up parts of our monitoring.
One sign of a phished user (if they do not try to log in from lots of different countries) is that they amass in a short time quite some time in my mail queue. Thus my idea is to check if there is such a user via my monitoring system and when one is detected, there is a handler that will freeze that user and all their current mail in the queue. The part of detecting the spam-user via their count of mails in the queue is tested and already gave us far better reaction times, the hit ratio is like 90% of the time it is a spammer, the other times it is a legitimate user with some other problem (and mails from users who regularly generate messages like spammers by newsletters and such are already automatically moved to another mail-server)
The freezing will give the administrators time to check if it is spam or not (like 30 mails all with a big alphabetical list going to one domain like hotmail.com) and then handle it as we usually handle those cases.
Our timeout_after_frozen-timeout is currently rather short (5 minutes) and I wonder if I increase it like to 16hours (enough time to check on a user, even when it happens late in the evening on a saturday and you don’t want to check on a sunday morning first thing) there will be new problems coming up. Like frozen messages living in my queue and mess up my monitoring like the amount of mails in the queue.
Iirc exim introduced multiple queues a while ago, do I remember correctly? Could I move those mails from such a user to a new queue, so that for example exim -bpc won’t count them? Or is there a better way than my idea above?