On Aug 06, Randy Bush via Exim-users wrote > had a legit user user with weak password. someone cracked it and used > it to drive a lot of spam by smtping in with plain auth. > > anyone have scripting to raise alerts if there is inbound smtp from a > legit user above some threshold? > > i will also likely remove all user passwords from /etc/passwd (as shell > access is ssh key only anyway) and put passwords for legit smtpers into > `server_condition` in `authenticators` > > randy
Hi Randy, I did some work for Oxford University ages ago, and they used SEC to parse the logs, count up failed SMTP transactions for users/IP addresses and block once it exceeded a threshold. SEC was a bit messy, I would probably look at using Fail2Ban with a custom action script to do that now. Thanks, Richard Jones -- junix.systems/privacy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
