Re: [exim] Better way to deal with phished users?

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Better way to deal with phished users?
Hi Niels,

Niels Kobschätzki via Exim-users <exim-users@???> (Mo 05 Jul 2021 05:40:04 CEST):
> I have again and again problems with phished users. I want to try a new way to deal with them but I worry that I mess up parts of our monitoring.


If you want to try a *new* way, what's the *old* approach?

> One sign of a phished user (if they do not try to log in from lots of different countries) is that they amass in a short time quite some time in my mail queue. Thus my idea is to check if there is such a user via my monitoring system and when one is detected, there is a handler that will freeze that user and all their current mail in the queue. The part of detecting the spam-user via their count of mails in the queue is tested and already gave us far better reaction times, the hit ratio is like 90% of the time it is a spammer, the other times it is a legitimate user with some other problem (and mails from users who regularly generate messages like spammers by newsletters and such are already automatically moved to another mail-server)


One way to detect phished accounts is by ratelimiting the count of uniqe
addresses the users sends mails to in a given time frame.

        ratelimit = … / per_addr


> Iirc exim introduced multiple queues a while ago, do I remember correctly? Could I move those mails from such a user to a new queue, so that for example exim -bpc won’t count them? Or is there a better way than my idea above?


So somewhere in the RCPT acl

        ratelimit = … / per_addr
        queue = …


could to the trick.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -