Re: [exim] Better way to deal with phished users?

On 5 Jul 2021, at 13:06, Niels Dettenbach wrote:

> Am Montag, 5. Juli 2021, 09:04:16 CEST schrieb Niels Kobschätzki:
>> On 5 Jul 2021, at 7:54, Niels Dettenbach via Exim-users wrote:
>> Phished users are users from my mail system which are proven regular users
>> who have their accounts for years and whose credentials got compromised
>> and are now suddenly used for sending spam- or phishing mails from my mail
>> system to other systems (and in that special case they are using the
>> Webmail-interface to send out mails and thus they really look like normal
>> users from the point of view of the mailing system).
>>
>> Thus I want to prevent sending out spam/scam mails from my system to others
>> (yes I already have diverse counter-measures in place but for the kind
>> mentioned above they all Gail and I have to intervene manually)
> ouch,
>
> ok.
>
> From my view, the primary way is to force the users to set new credentials
> (if you really mean access credentials - like passwords). As a network /
> email operator on the internet, by "netiquette" it is your responsibility to
> minimize / block abusive traffic from your systems.
>
> At least some countries have regulations by law forcing you to do this (at
> least if you "get aware of").
>
> Until that you may strongly ratelimit or block such users (if you could
> identify them and if it is possible with your contracts / policies) to avoid
> harm to others and (not at least) your own email system (reputation etc.).

The moment I identify them I lock them out of the system, remove all their mails in the queues and they have to reset their password before they can do anything again.
The problem is the identification because you usually get to know it only, when the accounts are actively misused. If I get to know that users where specifically targeted I inform them. And at 2am in the night it might already be too late (you landed yourself on blacklists) - even though you still kick them from the system.

Niels K.