Hi Niels,
Niels Kobschätzki via Exim-users <exim-users@???> (Mo 05 Jul 2021 05:40:04 CEST):
> I have again and again problems with phished users. I want to try a new way to deal with them but I worry that I mess up parts of our monitoring.
If you want to try a *new* way, what's the *old* approach?
> One sign of a phished user (if they do not try to log in from lots of different countries) is that they amass in a short time quite some time in my mail queue. Thus my idea is to check if there is such a user via my monitoring system and when one is detected, there is a handler that will freeze that user and all their current mail in the queue. The part of detecting the spam-user via their count of mails in the queue is tested and already gave us far better reaction times, the hit ratio is like 90% of the time it is a spammer, the other times it is a legitimate user with some other problem (and mails from users who regularly generate messages like spammers by newsletters and such are already automatically moved to another mail-server)
One way to detect phished accounts is by ratelimiting the count of uniqe
addresses the users sends mails to in a given time frame.
ratelimit = … / per_addr
> Iirc exim introduced multiple queues a while ago, do I remember correctly? Could I move those mails from such a user to a new queue, so that for example exim -bpc won’t count them? Or is there a better way than my idea above?
So somewhere in the RCPT acl
ratelimit = … / per_addr
queue = …
could to the trick.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
