We use ratelimit on outbound to protect against compromised accounts sending
spam but we don't check inbound although obviously you could adapt this.
This is used in conjunction with control = freeze
So something like this for outbound sending. For recipient you will have to
alter the ratelimit clause to use an appropriate key.
warn
log_message = Ratelimit - sender $sender_address rate $sender_rate /
$sender_rate_period
message = Sorry, you have exceeded your message sending limit. Try again
later
ratelimit = 1000 / 1h / strict / per_rcpt / $sender_address
control = freeze
That freezes the messages on the system.
Alerts on this are linked into our general network monitoring system and exim
stats but basically it runs
exipick -bpc -z '$sender_address' (which gives you frozen messages that have
non null sender) and alerts if that is nonzero.
--
-------------------------------------------------------------------------------------
Jonathan Haynes
Senior Network Specialist
IT Department Tel: 01234 754205
Bld 63, e-mail:
[email protected]
Cranfield University,
Cranfield,
Beds, MK43 0AL
> -----Original Message-----
> From: Exim-users [mailto:exim-users-
> [email protected]] On Behalf Of Sujit Acharyya-
> choudhury
> Sent: 03 August 2016 11:33
> To: [email protected]
> Subject: [exim] max messages per recipients
>
> How can I generate an alert if user(recipient) gets more than the usual
> message say 1000/hour instead of 100/day, thereby telling us something is
> wrong with the account - possibly compromised or DDOS attack. We had an
> instant like this few times (to well-known academics) and we would like to
> stop this kind of problem as soon as possible, before the mailbox is full.
>
>
>
> We are Exim 4.81
>
>
>
>
>
> Regards
>
>
>
> Sujit
>
>
>
> Sujit Choudhury | IT Services
>
>
>
>
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
