> From: Ralph Ballier > What can I do against such abuse, if somebody loose username and password? > Is it possible to limit the number of mails from one unser per minute or so?
Yes, but such limits inconvenience honest people. Another way was proposed on this list: to check not rate of messages or total recipients, but rate of attempts to send to invalid (nonexistent) recipients because spammers and spambots send to much more dirty lists of email addresses than honest people: large part of email addresses in spammers' lists don't exist anymore or never existed (Message-Ids and corrupted strings in memory taken by address harvesters as email addresses). Moreover, just a limit is not enough, the compromised password needs to be authomatically blocked, with notification to admin or abuse desk. My implementation: LIM = 100 PERIOD = 1h WARNTO = [email protected] EXIMBINARY = /usr/local/sbin/exim -f root SHELL = /bin/sh begin acl acl_check_rcpt: ... accept authenticated = * set acl_m_user = $authenticated_id # in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}} condition = ${if exists{$spool_directory/blocked_authenticated_users}} condition = ${lookup{$acl_m_user}lsearch\ {$spool_directory/blocked_authenticated_users}{1}{0}} control = freeze/no_tell control = submission/domain= add_header = X-Authenticated-As: $acl_m_user accept authenticated = * !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user continue = ${run{SHELL -c "echo $acl_m_user \ >>$spool_directory/blocked_authenticated_users; \ \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \ has sent mail to LIM invalid recipients during PERIOD.; \ \N}\N | EXIMBINARY WARNTO"}} control = freeze/no_tell control = submission/domain= add_header = X-Authenticated-As: $acl_m_user accept authenticated = * control = submission/domain= accept hosts = !@[] : +relay_from_hosts set acl_m_user = $sender_host_address # or an userid from RADIUS condition = ${if exists{$spool_directory/blocked_relay_users}} condition = ${lookup{$acl_m_user}lsearch\ {$spool_directory/blocked_relay_users}{1}{0}} control = freeze/no_tell control = submission/domain= add_header = X-Relayed-From: $acl_m_user accept hosts = !@[] : +relay_from_hosts !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user continue = ${run{SHELL -c "echo $acl_m_user \ >>$spool_directory/blocked_relay_users; \ \N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \ because has sent mail to LIM invalid recipients during PERIOD.; \ \N}\N | EXIMBINARY WARNTO"}} control = freeze/no_tell control = submission/domain= add_header = X-Relayed-From: $acl_m_user accept hosts = +relay_from_hosts control = submission/domain= When abuse desk receives a warning message about authomatically blocked user, they need to inspect content of few frozen messages in the queue using `exipick`. If it's spam then change the user's password and fine the user (according to contract) for not guarding against Windows malware stealing passwords (or for falling for phishing), meanwhile keep frozen messages as evidence until the fine is exacted. In unlikely case if it's not spam, delete the line with the username from the blocked users file with a text editor (or delete the file if it contains only one line which is likely) and unfreeze messages also using `exipick`. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
