Re: [exim] Better way to deal with phished users?

Top Page
Delete this message
Reply to this message
Author: Niels Kobschätzki
Date:  
To: Heiko Schlittermann
CC: exim-users
Subject: Re: [exim] Better way to deal with phished users?


On 5 Jul 2021, at 7:48, Heiko Schlittermann via Exim-users wrote:

> Hi Niels,
>
> Niels Kobschätzki via Exim-users <exim-users@???> (Mo 05 Jul 2021 05:40:04 CEST):
>> I have again and again problems with phished users. I want to try a new way to deal with them but I worry that I mess up parts of our monitoring.
>
> If you want to try a *new* way, what's the *old* approach?
>
>> One sign of a phished user (if they do not try to log in from lots of different countries) is that they amass in a short time quite some time in my mail queue. Thus my idea is to check if there is such a user via my monitoring system and when one is detected, there is a handler that will freeze that user and all their current mail in the queue. The part of detecting the spam-user via their count of mails in the queue is tested and already gave us far better reaction times, the hit ratio is like 90% of the time it is a spammer, the other times it is a legitimate user with some other problem (and mails from users who regularly generate messages like spammers by newsletters and such are already automatically moved to another mail-server)
>
> One way to detect phished accounts is by ratelimiting the count of uniqe
> addresses the users sends mails to in a given time frame.
>
>         ratelimit = … / per_addr


According to the documentation: “The per_addr option is like the per_rcpt option, except it counts the number of different recipients that **the client** has sent messages to in the last time period.”
What is a client? Does sending 10 mails with 50 recipients each from one sender with like a webmailer count like 500 addresses or like 10x 50 addresses because there will probably always be a new connect?

Best,
Niels