Re: [exim] Better way to deal with phished users?

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Niels Kobschätzki
Datum:  
To: Heiko Schlittermann
CC: exim-users
Betreff: Re: [exim] Better way to deal with phished users?


On 5 Jul 2021, at 7:48, Heiko Schlittermann via Exim-users wrote:

> Hi Niels,
>
> Niels Kobschätzki via Exim-users <exim-users@???> (Mo 05 Jul 2021 05:40:04 CEST):
>> I have again and again problems with phished users. I want to try a new way to deal with them but I worry that I mess up parts of our monitoring.
>
> If you want to try a *new* way, what's the *old* approach?


There are diverse measures but for that special case there was none (we noticed that special case when the mailqueue got too high) but recently the problem got really annoying and I want to automate it. Especially when the spammer hits the mail system 2am in the morning.

>
>> One sign of a phished user (if they do not try to log in from lots of different countries) is that they amass in a short time quite some time in my mail queue. Thus my idea is to check if there is such a user via my monitoring system and when one is detected, there is a handler that will freeze that user and all their current mail in the queue. The part of detecting the spam-user via their count of mails in the queue is tested and already gave us far better reaction times, the hit ratio is like 90% of the time it is a spammer, the other times it is a legitimate user with some other problem (and mails from users who regularly generate messages like spammers by newsletters and such are already automatically moved to another mail-server)
>
> One way to detect phished accounts is by ratelimiting the count of uniqe
> addresses the users sends mails to in a given time frame.
>
>         ratelimit = … / per_addr

>
>> Iirc exim introduced multiple queues a while ago, do I remember correctly? Could I move those mails from such a user to a new queue, so that for example exim -bpc won’t count them? Or is there a better way than my idea above?
>
> So somewhere in the RCPT acl
>
>         ratelimit = … / per_addr
>         queue = …

>
> could to the trick.


I didn’t know you could do that kind of rate-limiting. Even though I regularly read the exim-documentation (or parts of it). Thanks I will try that.

Niels