On 9 Aug 2019, at 00:31, Randy Bush via Exim-users <exim-users@exim.org> wrote: > a legit user, U, has an account with password P. password ssh is > disabled, of course. but smtp relay is not. so the spammer S uses > U's password P to relay mail through that server. > > so i am looking to detect excessive, from some value of excessive, > use of smtp with a legit password.
Basic ACL for this (in the RCPT ACL): warn authenticated = * ratelimit = 0 / 1d / per_rcpt / $authenticated_sender warn condition = ${if >{100}{$sender_rate}} control = freeze ...in short: if authenticated, update and record the per-recipient count for the authenticated user. If it's >100, freeze the message. If you want to use the 'freeze_tell' global option, you can get a warning that a message has been frozen *but* it'll do it for every RCPT TO over the threshold so can be noisy. You might want to set another variable in the second part, and use a '${run' condition to notify yourself later. Or parse the logs, or watch the mail queue, or something requally monitoring-shaped. Graeme -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/