Re: [exim] Better way to deal with phished users?

On 5 Jul 2021, at 13:25, Niels Dettenbach via Exim-users wrote:

> Am Montag, 5. Juli 2021, 13:19:45 CEST schrieb Niels Kobschätzki:
>> The moment I identify them I lock them out of the system, remove all their
>> mails in the queues and they have to reset their password before they can
>> do anything again. The problem is the identification because you usually
>> get to know it only, when the accounts are actively misused. If I get to
>> know that users where specifically targeted I inform them. And at 2am in
>> the night it might already be too late (you landed yourself on blacklists)
>> - even though you still kick them from the system.
>
> ...beside exims "ratelimiting" (which is just lowering the impact at the cost
> of all users)

actually depending on how the rate limiting works it doesn’t impact all users and I can whitelist users that are legitimate but would be hit by the rate-limiting.

> - is there any way to monitor the webmail webserver or
> application logs from your webmail system (most known webmail solutions do/
> allow some way to log with "username")? If someone sends out hundreds of
> mails per hour per webmail, this is probably bot behaviour (fail2ban or
> similiat tools may help then reacting with "some command")...
>
> just as an idea...

Unfortunately that’s not so easy because you would need to extend the webmail-software with a plug-in so that the webmailer is actually aware of something like this. And 500 mails with 1 address and 10 mails with 50 addresses would be probably something different for the webmailer. There are some parts on the webmail-side where you can make things harder depending on the webmailer.

Niels