Thank you - that's very educational.
But it looks like 1/2 the solution unless I'm missing something. How do
the messages get unfrozen?
What I want to do is freeze the messages if the inbound rate is high
because I don't know if they are good or not. Then after 5 minutes when
I know they are good I want to release them. Or if they are bad I want
to discard them. And I would have to unfreeze them by the sender because
I might be dealing with more than one account that was hacked.
On 4/10/2011 4:26 AM, [email protected] wrote:
From: Marc Perkel
I've been working on outbound filtering and trying to come up with a new
set of tricks. Outbound filtering is very different than inbound.
Here's the situation. An ISP has thousands of email users and some have
used week passwords or otherwise been suckered into giving up the
password. The spammer get access and starts sending spam at the rate of
thousands per minute.
I can detect the increase in the speed of sending rather quickly but it
might take say - 5 minutes - to determine if it's a spammer of someone
with a big email list sending legitimate email - and get that
information to my servers. During the 5 minutes the spammer would be
able to send thousands of spams before being shut down.
Another solution is based on the fact that many or most of email addresses
the spammer sends to don't exist. The idea was posted to this list.
My implementation:
LIM = 100
PERIOD = 1h
WARNTO = [email protected]
EXIMBINARY = /usr/local/sbin/exim -f root
SHELL = /bin/sh
untrusted_set_sender = *
local_from_check = false
...
begin acl
acl_check_rcpt:
...
accept hosts = !@[] : +relay_from_hosts
set acl_m_user = $sender_host_address
# or an userid from RADIUS
condition = ${if exists{$spool_directory/blocked_relay_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_relay_users}{1}{0}}
control = freeze/no_tell
add_header = X-Relayed-From: $acl_m_user
accept hosts = !@[] : +relay_from_hosts
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_relay_users; \
\N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
because has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | EXIMBINARY WARNTO"}}
control = freeze/no_tell
add_header = X-Relayed-From: $acl_m_user
accept hosts = +relay_from_hosts
control = submission/domain=
accept authenticated = *
set acl_m_user = $authenticated_id
# in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
condition = ${if exists{$spool_directory/blocked_authenticated_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_authenticated_users}{1}{0}}
control = freeze/no_tell
add_header = X-Authenticated-As: $acl_m_user
accept authenticated = *
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_authenticated_users; \
\N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | EXIMBINARY WARNTO"}}
control = freeze/no_tell
add_header = X-Authenticated-As: $acl_m_user
accept authenticated = *
control = submission/domain=
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
