Hi Niels, Niels Kobschätzki via Exim-users <exim-users@exim.org> (Mo 05 Jul 2021 05:40:04 CEST): > I have again and again problems with phished users. I want to try a new way > to deal with them but I worry that I mess up parts of our monitoring.
If you want to try a *new* way, what's the *old* approach? > One sign of a phished user (if they do not try to log in from lots of > different countries) is that they amass in a short time quite some time in my > mail queue. Thus my idea is to check if there is such a user via my > monitoring system and when one is detected, there is a handler that will > freeze that user and all their current mail in the queue. The part of > detecting the spam-user via their count of mails in the queue is tested and > already gave us far better reaction times, the hit ratio is like 90% of the > time it is a spammer, the other times it is a legitimate user with some other > problem (and mails from users who regularly generate messages like spammers > by newsletters and such are already automatically moved to another > mail-server) One way to detect phished accounts is by ratelimiting the count of uniqe addresses the users sends mails to in a given time frame. ratelimit = … / per_addr > Iirc exim introduced multiple queues a while ago, do I remember correctly? > Could I move those mails from such a user to a new queue, so that for example > exim -bpc won’t count them? Or is there a better way than my idea above? So somewhere in the RCPT acl ratelimit = … / per_addr queue = … could to the trick. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE -
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/