On 10/02/16 20:37, Graeme Fowler wrote: <snip>
You can make ratelimit use *any* key you like as the lookup - so it can be (as you’ve done already) the envelope sender address, or the sender’s IP address, or a hostname, or… well, you get the idea. In the DATA ACL, you’ve got access to all the message headers - and if you do the ratelimit stuff before the callout to SpamAssassin, they’re unmodified (see footnote 1). So you can set an ACL variable for later use from any header. As an example: set acl_m_origsubject1 = $rh_Subject ... warn ratelimit = 5 / 15m / per_rcpt / strict / $acl_m_origsubject1 (obviously that could be deny, and have other conditions on it)
<snip>
You’re probably better off cooking up a ratelimit key from the subject, parts of the date/time (see $tod_log) and other attributes of the message which you see as unique. Do they, for example, share a Message-ID header (direct-to-MX malware often does, if one exists at all). Does that give you a bit of direction? Graeme
Yes, thanks. $rh_subject / $h_subject looks like it will do what I wanted - and I'll run with 'warn' not 'deny' for a while to prove. I'll dig into the other attributes you mention in slower time and might go for a dual approach of:
deny if ratelimit > large threshold warn and +3 for SpamAssassin if ratelimit > smaller threshold Thanks, Nick. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
