On Sun, 2011-04-10 at 07:18 -0700, Marc Perkel wrote: > But it looks like 1/2 the solution unless I'm missing something. How do > the messages get unfrozen?
We do something similar on outgoing messages to catch compromised email accounts: 1. Track rates of $sender_address using Exim's built-in ratelimit code at the RCPT stage. 2. When a threshold is reached, use "control = freeze" on the messages from $sender_address. 3. Notify the admins that $sender_address needs looking at. We then manually inspect the message flow, starting with recipient addresses, then subjects, to determine whether the flow is valid. If it is, we use "exim -Mt" on all affected messages from $sender_address; if it isn't, we investigate further to see if the account is being abused. Further action following that part is out of Exim's scope. It's not a good idea to automate the check stage, but the unfreezing bit could be done via a cron job which reads from a database table rather than from the shell. Graeme -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
