Re: [exim] Better way to deal with phished users?

Sun, 04 Jul 2021 23:15:39 -0700 

Hi Niels,

Niels Kobschätzki via Exim-users <exim-users@exim.org> (Mo 05 Jul 2021 05:40:04 
CEST):
> I have again and again problems with phished users. I want to try a new way 
> to deal with them but I worry that I mess up parts of our monitoring.

If you want to try a *new* way, what's the *old* approach?

> One sign of a phished user (if they do not try to log in from lots of 
> different countries) is that they amass in a short time quite some time in my 
> mail queue. Thus my idea is to check if there is such a user via my 
> monitoring system and when one is detected, there is a handler that will 
> freeze that user and all their current mail in the queue. The part of 
> detecting the spam-user via their count of mails in the queue is tested and 
> already gave us far better reaction times, the hit ratio is like 90% of the 
> time it is a spammer, the other times it is a legitimate user with some other 
> problem (and mails from users who regularly generate messages like spammers 
> by newsletters and such are already automatically moved to another 
> mail-server) 

One way to detect phished accounts is by ratelimiting the count of uniqe
addresses the users sends mails to in a given time frame.

        ratelimit = … / per_addr
 
> Iirc exim introduced multiple queues a while ago, do I remember correctly? 
> Could I move those mails from such a user to a new queue, so that for example 
> exim -bpc won’t count them? Or is there a better way than my idea above?

So somewhere in the RCPT acl

        ratelimit = … / per_addr
        queue = …

could to the trick.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -

Attachment: signature.asc
Description: PGP signature

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to