Jethro, > Forgive me, this is my cantankerous day for the week.
Never mind. I have these kind of days as well. > Ah right. You're not talking about particular known users with a problem, you are talking about the general case, or the theoretical problem then? Imagine we were Yahoo. We're not, but we're let's say something similar. Don't want to expose more details here. So this means: - it is part of our business model that we allow people to create an account without having their data beeing checked by CIA, FBI or any of such organisations - we also provide e-mail services to 3rd parties whos networks we don't control. Of course we give all that recommendations you mentioned (not saving passwords, keeping anti-virus software up-to-date, you name it) but we can do hardly anything more than recomment this. We cannot enforce this. That's the problem. > As the esteemed Alan Flavell will point out, dealing with spammer tactics is an arms race. Sure. > Whatever arbitrary limit gets recommended as a > threshold, the spammers will probably adjust to it in time. Given the numbers of computers a trojan or worm working under a particular spamgang's direction can compromise, it actually doesn't need very many emails over a given amount of time from any particular machine to send a lot of mail as a whole. You're right. But here I am concerned mostly with the amount of spam that gets send over accounts that I am responsible for. If a worm infects 100.000 PCs, two dozends of them being logged into our system, if we limit the amount of emails that can be sent our share of the problem is very limited. > The slower they do it, and to fewer recipients, > for each machine, the less likely it is you'll spot them. Meanwhile, adjusting thresholds to try to catch them means inconveniencing more people as you approach the sorts of numbers and frequencies that typical email users use. I'd love to save people the burden to lock their doors when they leave because it brings all that hassle with looking keys, etc. Unforunately we haven't managed to create a world where this is possible. The issue ist just that today it's too easy. You create an account which takes 2-3 minutes and you have a free ride on our server. This is what we need to at least significantly limit. I believe that spammers like to keep it simple as well. A service like ours is sort of a honeypot to them at this point in time. If we make it harder for them they will most likely search for other services. At least this is the hope. On the other hand if we allow them some dozends of emails before their account gets closed this will be a bad effort / spam ratio for them. Those people think along the lines of 100.000 emails in a single campaign. Regards, Torsten > On Wed, 11 May 2005 [EMAIL PROTECTED] wrote: > >> This is brilliant idea. Do you mind if I pipe our Exim mainlog file to your terminal so you can spot these users right in time and alert me to suspend their accounts? > > Ah right. You're not talking about particular known users with a problem, you are talking about the general case, or the theoretical problem then? > >> It basically monitors the log file every five minutes and counts how many >> emails a user has sent. If this goes over a certain threshold (say 20 emails in a five minute interval) that user will end up a on throttling list meaning any further emails will be delayed. > ... > > Try searching the archives for "rate limiting" or similar phrases, as this has been discussed before. (I should do the same, since I have been pondering a similar question recently). > > I'm guessing that spamguard processes the logs of these other MTAs and keeps a track of sending IPs over time and other data. It shouldn't be too hard to write it to parse exim mainlog as well. Alternatively, maybe you could pre-process an exim log file to make it look substantially (enough) like the format of one of the other programs' logs. > >> If he hits the next threshold the user will get temporarily suspended and the admin alerted via email to take care. Which usually means: Talk to the user, find out if this is due a virus infection or if the user really is a bad guy. > > Would the user admit to being a bad guy? Also, educate your users not to save their password in their mail client, type it in when it starts up. That will probably alleviate some of the problem. > >> The rationale is: A spammer will have a hard time sending more than a couple of dozends of mails before we will automatically be stopped, and this without any human intervention. >> >> On the other hand, hardly any "normal" user will have to send more then 20 >> mails every five minutes, will he? For mailing lists and special users there is a whitelist of priviledged accounts which do not fall under this >> limits. > > What happens when one of those privileged accounts is the one being compromised/become a bad guy? I can well imagine that more people than you might imagine like to send a message to a whole bunch of folks. > > As the esteemed Alan Flavell will point out, dealing with spammer tactics is an arms race. Whatever arbitrary limit gets recommended as a threshold, the spammers will probably adjust to it in time. Given the numbers of computers a trojan or worm working under a particular spamgang's direction can compromise, it actually doesn't need very many emails over a given amount of time from any particular machine to send a lot of mail as a whole. The slower they do it, and to fewer recipients, for each machine, the less likely it is you'll spot them. Meanwhile, adjusting thresholds to try to catch them means inconveniencing more people as you approach the sorts of numbers and frequencies that typical email users use. > > Not that that means you shouldn't try, though. > > You are, of course, virus-checking mail these machines are sending to at least limit further propagation of nasties by that method? > > Forgive me, this is my cantankerous day for the week. > > Jethro. > > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks > Computing Officer, IT Services > University Of Strathclyde, Glasgow, UK > > -- > ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://www.exim.org/eximwiki/ > -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
