On Tue, Dec 11, 2012 at 9:08 PM, Cyborg <[email protected]> wrote:
> Am 11.12.2012 16:42, schrieb Jan Ingvoldstad: > >> 1. Permit accounts to send on behalf of its associated domainname. >> > > IMHO, it would be enough to check if the sender domain match the account > domains. > Now you're assuming that there is a one-to-one relationship between account name and email address, which is something I tried to avoid in my example. Many email setups still use Unix usernames or similar solutions. :) > if the attacker uses the mailclient of the customer, there will be no > chance to find out, except for rate > limit violations. > > In my experience, spamming through authenticated accounts are currently tailored to go under the radar for rate limits, typically one or two handfuls of messages sent every day, to 10-30 recipients, maybe less. Rate limiting works well to prevent regular users and the odd misconfigured client from overloading the mail server and/or queue, though. -- Jan -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
