On 2013-06-29 at 09:45 -0700, Todd Lyons wrote: > Their outlook is still open on their computer and someone comes by to > check something in the email. Outlook doesn't seem to be working > right so they hit the Send/Receive button multiple times. On the exim > server, the limit for bad user/pass combination gets hit and the ip > gets added to the blacklist. Now the whole office is blocked from > sending email. > > I'd like to ponder if there is a way to detect that the same incorrect > password is being sent over and over (indicating a misconfigured > device) as opposed to random passwords (indicating brute forcing). To
Simpler solution: never implement a blacklist without also implementing a whitelist. Cron-job scans logs for successful authentications and adds the source IPs to a graylist. After a few days of mostly success, IP moves to whitelist. Thereafter, one bad actor can't ruin things for everyone else. Bonus points for auto-generating a "you would have been blacklisted by anomalous activity from IP X" emails. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
