> From: Kebba Foon > recently i found out that some of > the ip's i allow relay for are infect and send a lot of mails with fake > sender addresses
The bounces/backscatter is because a lot of these mails is to nonexistent recipient addresses (spammers' lists contain a lot of nonexistent addresses). So, infected IPs can be automatically blocked: LIM = 100 PERIOD = 1h WARNTO = [email protected] EXIMBINARY = /usr/local/sbin/exim SHELL = /bin/sh ... acl_check_rcpt: ... accept hosts = +relay_from_hosts set acl_m_user = $sender_host_address # or userid from RADIUS if IPs are assigned dynamically condition = ${if exists{$spool_directory/blocked_users}} condition = ${if eq{${lookup{$acl_m_user}lsearch\ {$spool_directory/blocked_users}{1}{0}}}{1}} control = freeze/no_tell add_header = X-User: $acl_m_user accept hosts = +relay_from_hosts !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user continue = ${run{SHELL -c "echo $acl_m_user \ >>$spool_directory/blocked_users; \ \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \ has sent mail to LIM invalid recipients during PERIOD.; \ \N}\N | EXIMBINARY WARNTO"}} control = freeze/no_tell add_header = X-User: $acl_m_user accept hosts = +relay_from_hosts control = submission/domain= After you get the notification, you look up the frozen messages in the queue (using exipick). If that's spam, you make the user to disinfect the machine, exact the fine (according to contract), after that you delete the line with the userid from the blocked_users file and delete frozen spam using exipick. If you relay from authenticated users then the approach is similar: accept authenticated = * set acl_m_user = $authenticated_id # in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}} condition = ${if exists{$spool_directory/blocked_users}} condition = ${if eq{${lookup{$acl_m_user}lsearch\ {$spool_directory/blocked_users}{1}{0}}}{1}} control = freeze/no_tell add_header = X-Authenticated-As: $acl_m_user accept authenticated = * !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user continue = ${run{SHELL -c "echo $acl_m_user \ >>$spool_directory/blocked_users; \ \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \ has sent mail to LIM invalid recipients during PERIOD.; \ \N}\N | EXIMBINARY WARNTO"}} control = freeze/no_tell add_header = X-Authenticated-As: $acl_m_user accept authenticated = * control = submission/domain= -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
