hi richard > I did some work for Oxford University ages ago, and they used SEC to > parse the logs, count up failed SMTP transactions for users/IP addresses > and block once it exceeded a threshold. > > SEC was a bit messy, I would probably look at using Fail2Ban with a > custom action script to do that now.
i suspecty i was unclear. a legit user, U, has an account with password P. password ssh is disabled, of course. but smtp relay is not. so the spammer S uses U's password P to relay mail through that server. so i am looking to detect excessive, from some value of excessive, use of smtp with a legit password. for the moment, i no longer use /etc/master.password to authenticate, and add users one at a time when they whine to a smtp relay passord file. randy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
