On 2013-08-14 12:30, Ian Eiloart wrote:
On 8 Aug 2013, at 15:03, Marcin Gryszkalis <[email protected]> wrote:
Even worse - it looked a bit similar to ssh-dictionary-attack bots:
every bot/ip was used to send
no more than 1-3 mails.
Interesting. I guess one could limit the number of different IP
addresses that a sender could use in a given period. I wonder what
would be a reasonable limit? 3/minute, 10/hour, 25/day? How many
travellers would get hit by those limits?
Nice idea, for imap it would be high (many users use multiple devices to
read mail - several computers, phones, tablets etc.) but
for smtp the caount should be smaller
- some cheap DSL-s are switching once per 24/12 hrs
- some free gsm providers are switching ip once per hour
I checked one of servers (2 weeks from beginning of august) and the user
with highest number of distinct ips have about 80 entries. Your milage
may vary though, you can check your logs with
grep 'Authenticated:' exim-main-* | perl -nle
'm/\[([^\]]*)\].*Authenticated:\s+(\S+)/; $h->{$2}->{$1} = 1; END { for
my $u (sort { scalar(keys(%{$h->{$a}})) <=> scalar(keys(%{$h->{$b}})) }
%$h) { use Data::Dumper; print "$u\n", Dumper $h->{$u} } }'
expects exim main log lines with
[1.2.3.4] Warning: Authenticated: user@domain
greetings
--
Marcin Gryszkalis, PGP 0x9F183FA3
jabber jid:[email protected], gg:2532994
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
