> From: Patrick von der Hagen > I've been having issues with compromised accounts used to send spam via > authenticated connections to my servers. Don't ask me how those people > lost their passwords, but they did. > > I have ratelimiting in place to avoid the worst issues, but some people > and systems really send tons of messages, so the limit is quite > generous. Defining exceptions for specific senders isn't an option, > since it would involve to much maintenance. > > Now I'm looking for ideas how to identify issues faster. One of them is > to check for senders causing lots of bounces, which in my experience is > a good indication for bad behavior.
> My worries: > - the identification of bounces in the acl_not_smtp is certainly not perfect > - the limits are just a guess > - the bounce rate will drop again, so the lock-out by > bounce_$sender_address isn't permanent Permanent lock-out if bounce rate exceeded, separately for each user: https://github.com/Exim/exim/wiki/BlockCracking That code uses verify=recipient/callout instead of counting bounce messages. If recipient verificaton fails then a bounce message will be sent. > From: Jeremy Harris > You can watch for rate of rejects, rather than bounces (please don't > say you accept-then-bounce!) For authenticated connections (to send outgoing messages from user's MUA) accept-then-bounce is usual practice because many Windows MUA cannot handle rejects. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
