On 9 Aug 2019, at 00:31, Randy Bush via Exim-users <[email protected]> wrote:
> a legit user, U, has an account with password P. password ssh is
> disabled, of course. but smtp relay is not. so the spammer S uses
> U's password P to relay mail through that server.
>
> so i am looking to detect excessive, from some value of excessive,
> use of smtp with a legit password.
Basic ACL for this (in the RCPT ACL):
warn authenticated = *
ratelimit = 0 / 1d / per_rcpt / $authenticated_sender
warn condition = ${if >{100}{$sender_rate}}
control = freeze
...in short: if authenticated, update and record the per-recipient count for
the authenticated user. If it's >100, freeze the message.
If you want to use the 'freeze_tell' global option, you can get a warning that
a message has been frozen *but* it'll do it for every RCPT TO over the
threshold so can be noisy. You might want to set another variable in the second
part, and use a '${run' condition to notify yourself later. Or parse the logs,
or watch the mail queue, or something requally monitoring-shaped.
Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
