[exim] Spurious DKIM failures
Hello. I have an informational message for developers. In some rare cases Exim considers correct DKIM signature as invalid. My estimate of fault rate is less than 1 event for 10,000 imcoming mails. In my environment it can be traced by headers, because each incoming mail passes the chain (1) Exim MTA -> (2) Amavis -> (3) Exim MTA, where receiving relay (1) and anti-spam filter (2) save result of DKIM verification in headers. On the failure, headers are like: Authentication-Results: passat.rdtex.ru (amavisd-new); dkim=pass (1024-bit key) header.d=netology.ru header.b=OXxIl1Hh; dkim=pass (1024-bit key) header.d=mta.mindbox.ru header.b=I5B1tR/y Received: from passat.rdtex.ru ([127.0.0.1]) by localhost (passat.rdtex.ru [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UjeSDm4hSaiL for ; Mon, 5 Jul 2021 19:06:34 +0300 (MSK) X-Authentication-Results: passat.rdtex.ru Exim-4.94.2; iprev=pass (mta.mindbox.ru) smtp.remote-ip=185.99.9.135; dkim=fail (body hash mismatch; body probably modified in transit) header.d=netology.ru header.s=mindbox header.a=rsa-sha256; dkim=fail (body hash mismatch; body probably modified in transit) header.d=mta.mindbox.ru header.s=mindbox header.a=rsa-sha256 X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 Received-SPF: pass client-ip=185.99.9.135; envelope-from=bounce.b46b07000400607c6...@mta.mindbox.ru; helo=mta.mindbox.ru Received: from mta.mindbox.ru ([185.99.9.135]:29146) by passat.rdtex.ru with esmtps (TLS1.2:ECDHE_X25519__RSA_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1m0R7C-00HEVp-GA size 24034 maxlen 175 ... Mainlog for frontend Exim (1) contains: 2021-07-05 19:06:34.545 [4107365] 1m0R7C-00HEVp-GA DKIM: d=netology.ru s=mindbox c=relaxed/relaxed a=rsa-sha256 b=1024 [verification failed - body hash mismatch (body probably modified in transit)] 2021-07-05 19:06:34.545 [4107365] 1m0R7C-00HEVp-GA DKIM: d=mta.mindbox.ru s=mindbox c=relaxed/relaxed a=rsa-sha256 b=1024 [verification failed - body hash mismatch (body probably modified in transit)] Manual test of the received mail with perl module Mail::DKIM::Verifier gives "pass" result for both signatures. If sample mail is re-injected by SMTP from other host, it passes verification on frontend Exim. I have 4 frontend relays with almost identical configuration, failures happen on each of them, randomly. There are no evidence for hardware problems (segfaults, etc). No evidence of "inherited" memory corruption: after failure of DKIM verificaion subsequent mails are verified correctly. So it seems as rarely manifested bug. I have no ideas how such bug can be located. However, I can share this sample mail with developers (in private). -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Niels Kobschätzki via Exim-users (Mo 05 Jul 2021 14:00:02 CEST): > > > > ...beside exims "ratelimiting" (which is just lowering the impact at the > > cost > > of all users) > > actually depending on how the rate limiting works it doesn’t impact all users > and I can whitelist users that are legitimate but would be hit by the > rate-limiting. I think, if you follow the initial suggestion, limiting the pure number of distinct addresses per interval, the impact should be relativly low. Users sending tons of mails to the same destination are not impacted, users sending a newsletter to a ton of destinations are not impacted, if you choose a well balanced rate (e.g. for Exim's ratelimit "engine" it's a subtle difference between 60/1m and 3600/1h. And, as the ratlimit condition is expanded, you can do what ever your creativity dictates (e.g. lookup the limits in a database). -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 05/07/2021 17:21, Cyborg via Exim-users wrote: that transport filter can so anything you like, i.e. counting the number of mails per timeframe per authid and block the ip, disable the account, clear the messagequeue and it also can technically, blank the actual message, so it's not spam anymore ;) It's not what transport filters are used for normally, but i think, it would do the trick. Overkill. Use an ACL expansion in a condition on the router, which can do a ratelimit test/modify and control whether the router triggers. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Disable Links in Body
This can be done using a system or transport filter. There you can pass the initial message to a script - a handler written, for example, in Perl or any other language convenient for you. Be prepared to deal with different types of content, including nested MIMEs. In addition, this will lead to an error in DKIM verification if it is performed after changing the message body. Patrick Porteous via Exim-users писал 2021-06-09 21:58: I would like to set up a filter to disable all external links in received messages. Can someone point me to where to to start looking into that type of filtering? -- Best regards, Max Kostikov W: https://kostikov.co | E: m...@kostikov.co | T: +7(952)7927000 signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Am 05.07.21 um 14:42 schrieb Niels Kobschätzki: I want to automate the acting upon it. This is about damage mitigation when the preventive measures didn’t help. How about: remote_smtp: driver = smtp .include_if_exists /etc/exim/ip.conf transport_filter = '/usr/local/sbin/count-script.pl' '$sender_host_address' '$authenticated_id' ... options ... tls_tempfail_tryclear = false that transport filter can so anything you like, i.e. counting the number of mails per timeframe per authid and block the ip, disable the account, clear the messagequeue and it also can technically, blank the actual message, so it's not spam anymore ;) It's not what transport filters are used for normally, but i think, it would do the trick. All you need to make sure is, that STDIN goes untampered to STDOUT, in case the message is fine. It may drop the server performance a bit on high traffic systems... best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 15:09, Heiko Schlittermann via Exim-users wrote: > Niels Kobschätzki (Mo 05 Jul 2021 13:54:47 CEST): >> >>> addresses the users sends mails to in a given time frame. >>> >>> ratelimit = … / per_addr >> >> According to the documentation: “The per_addr option is like the per_rcpt >> option, except it counts the number of different recipients that **the >> client** has sent messages to in the last time period.” >> What is a client? Does sending 10 mails with 50 recipients each from one >> sender with like a webmailer count like 500 addresses or like 10x 50 >> addresses because there will probably always be a new connect? > > It depends on you, what you use as a key for counting. > > ratelimit = 300 / 1d / per_addr / $authenticated_id > > Untested! But I'm sure you got the idea :) Oh - that should work. That wasn’t clear for me from the documentation. Thanks, Niels signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Niels Kobschätzki (Mo 05 Jul 2021 13:54:47 CEST): > > > addresses the users sends mails to in a given time frame. > > > > ratelimit = … / per_addr > > According to the documentation: “The per_addr option is like the per_rcpt > option, except it counts the number of different recipients that **the > client** has sent messages to in the last time period.” > What is a client? Does sending 10 mails with 50 recipients each from one > sender with like a webmailer count like 500 addresses or like 10x 50 > addresses because there will probably always be a new connect? It depends on you, what you use as a key for counting. ratelimit = 300 / 1d / per_addr / $authenticated_id Untested! But I'm sure you got the idea :) -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 14:00, Cyborg via Exim-users wrote: Am 05.07.21 um 13:19 schrieb Niels Kobschätzki via Exim-users: The problem is the identification because you usually get to know it only, when the accounts are actively misused. If I get to know that users where specifically targeted I inform them. And at 2am in the night it might already be too late (you landed yourself on blacklists) - even though you still kick them from the system. If you don't wanne use a form of 2FA, it could be impossible to identify hacked accounts before they spam. The nature of a hacked account is, that the attacker has obtained the credentials from a PC and it's mailprogram oder via phising. In both cases, they have a valid set of credentials, do not produce any login error ( bruteforcing ) and their first login is most likely the moment they start spamming. A 2FA could add the IP to a database(file) and you only accept mails from ips in this list + credentials. The 2FA could be a Website to login or an android app. I know that I can only detect them after the fact - actually after they started and I can act on it then. I want to automate the acting upon it. This is about damage mitigation when the preventive measures didn’t help. Niels -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
For webmail just force TOTP. Solves all problems except users that are abusive themselves. Originalmeddelande Från: Niels Dettenbach via Exim-users Datum: 2021-07-05 13:40 (GMT+01:00) Till: Niels Kobschätzki Kopia: exim-users@exim.org Ämne: Re: [exim] Better way to deal with phished users? Am Montag, 5. Juli 2021, 13:19:45 CEST schrieb Niels Kobschätzki:> The moment I identify them I lock them out of the system, remove all their> mails in the queues and they have to reset their password before they can> do anything again. The problem is the identification because you usually> get to know it only, when the accounts are actively misused. If I get to> know that users where specifically targeted I inform them. And at 2am in> the night it might already be too late (you landed yourself on blacklists)> - even though you still kick them from the systembeside exims "ratelimiting" (which is just lowering the impact at the cost of all users) - is there any way to monitor the webmail webserver or application logs from your webmail system (most known webmail solutions do/allow some way to log with "username")? If someone sends out hundreds of mails per hour per webmail, this is probably bot behaviour (fail2ban or similiat tools may help then reacting with "some command")...just as an idea...niels.-- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users## Exim details at http://www.exim.org/## Please use the Wiki with this list - http://wiki.exim.org/ smime.p7s Description: S/MIME Cryptographic Signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 7:48, Heiko Schlittermann via Exim-users wrote: > Hi Niels, > > Niels Kobschätzki via Exim-users (Mo 05 Jul 2021 > 05:40:04 CEST): >> I have again and again problems with phished users. I want to try a new way >> to deal with them but I worry that I mess up parts of our monitoring. > > If you want to try a *new* way, what's the *old* approach? > >> One sign of a phished user (if they do not try to log in from lots of >> different countries) is that they amass in a short time quite some time in >> my mail queue. Thus my idea is to check if there is such a user via my >> monitoring system and when one is detected, there is a handler that will >> freeze that user and all their current mail in the queue. The part of >> detecting the spam-user via their count of mails in the queue is tested and >> already gave us far better reaction times, the hit ratio is like 90% of the >> time it is a spammer, the other times it is a legitimate user with some >> other problem (and mails from users who regularly generate messages like >> spammers by newsletters and such are already automatically moved to another >> mail-server) > > One way to detect phished accounts is by ratelimiting the count of uniqe > addresses the users sends mails to in a given time frame. > > ratelimit = … / per_addr According to the documentation: “The per_addr option is like the per_rcpt option, except it counts the number of different recipients that **the client** has sent messages to in the last time period.” What is a client? Does sending 10 mails with 50 recipients each from one sender with like a webmailer count like 500 addresses or like 10x 50 addresses because there will probably always be a new connect? Best, Niels signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 13:25, Niels Dettenbach via Exim-users wrote: > Am Montag, 5. Juli 2021, 13:19:45 CEST schrieb Niels Kobschätzki: >> The moment I identify them I lock them out of the system, remove all their >> mails in the queues and they have to reset their password before they can >> do anything again. The problem is the identification because you usually >> get to know it only, when the accounts are actively misused. If I get to >> know that users where specifically targeted I inform them. And at 2am in >> the night it might already be too late (you landed yourself on blacklists) >> - even though you still kick them from the system. > > ...beside exims "ratelimiting" (which is just lowering the impact at the cost > of all users) actually depending on how the rate limiting works it doesn’t impact all users and I can whitelist users that are legitimate but would be hit by the rate-limiting. > - is there any way to monitor the webmail webserver or > application logs from your webmail system (most known webmail solutions do/ > allow some way to log with "username")? If someone sends out hundreds of > mails per hour per webmail, this is probably bot behaviour (fail2ban or > similiat tools may help then reacting with "some command")... > > just as an idea... Unfortunately that’s not so easy because you would need to extend the webmail-software with a plug-in so that the webmailer is actually aware of something like this. And 500 mails with 1 address and 10 mails with 50 addresses would be probably something different for the webmailer. There are some parts on the webmail-side where you can make things harder depending on the webmailer. Niels smime.p7s Description: S/MIME digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Am 05.07.21 um 13:19 schrieb Niels Kobschätzki via Exim-users: The problem is the identification because you usually get to know it only, when the accounts are actively misused. If I get to know that users where specifically targeted I inform them. And at 2am in the night it might already be too late (you landed yourself on blacklists) - even though you still kick them from the system. If you don't wanne use a form of 2FA, it could be impossible to identify hacked accounts before they spam. The nature of a hacked account is, that the attacker has obtained the credentials from a PC and it's mailprogram oder via phising. In both cases, they have a valid set of credentials, do not produce any login error ( bruteforcing ) and their first login is most likely the moment they start spamming. A 2FA could add the IP to a database(file) and you only accept mails from ips in this list + credentials. The 2FA could be a Website to login or an android app. I i.e. used something different: an ip-account-timeframe threshold to detect botnets, which kicks them reliable at 2 AM before they can spam ;) Best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Am Montag, 5. Juli 2021, 13:19:45 CEST schrieb Niels Kobschätzki: > The moment I identify them I lock them out of the system, remove all their > mails in the queues and they have to reset their password before they can > do anything again. The problem is the identification because you usually > get to know it only, when the accounts are actively misused. If I get to > know that users where specifically targeted I inform them. And at 2am in > the night it might already be too late (you landed yourself on blacklists) > - even though you still kick them from the system. ...beside exims "ratelimiting" (which is just lowering the impact at the cost of all users) - is there any way to monitor the webmail webserver or application logs from your webmail system (most known webmail solutions do/ allow some way to log with "username")? If someone sends out hundreds of mails per hour per webmail, this is probably bot behaviour (fail2ban or similiat tools may help then reacting with "some command")... just as an idea... niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Am Montag, 5. Juli 2021, 09:04:16 CEST schrieb Niels Kobschätzki: > On 5 Jul 2021, at 7:54, Niels Dettenbach via Exim-users wrote: > Phished users are users from my mail system which are proven regular users > who have their accounts for years and whose credentials got compromised > and are now suddenly used for sending spam- or phishing mails from my mail > system to other systems (and in that special case they are using the > Webmail-interface to send out mails and thus they really look like normal > users from the point of view of the mailing system). > > Thus I want to prevent sending out spam/scam mails from my system to others > (yes I already have diverse counter-measures in place but for the kind > mentioned above they all Gail and I have to intervene manually) ouch, ok. >From my view, the primary way is to force the users to set new credentials (if you really mean access credentials - like passwords). As a network / email operator on the internet, by "netiquette" it is your responsibility to minimize / block abusive traffic from your systems. At least some countries have regulations by law forcing you to do this (at least if you "get aware of"). Until that you may strongly ratelimit or block such users (if you could identify them and if it is possible with your contracts / policies) to avoid harm to others and (not at least) your own email system (reputation etc.). best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
The problem is that passwords are insecure. Its much better to lock accounts to countries or even individual ISPs, offices or IPs. SMTP and IMAP doesn't have good support for OTP and other secure authentication methods, so a good idea is to "enhance" the security by locking accounts to countries. If users travel, they have to contact customer support. If you COULD force the end users to always use webmail, you can add TOTP to that and make things like 100x more secure. Another way to increase security is to add the latest IP of the latest webmail login (with TOTP) to database, and if users want to use imap/smtp, everytime they change country or ISP or ASN or similar, they have to login to webmail once to "reenable access". Try to come up with something like that, because passwords are horribly insecure, and its not many clients that support for example client certificates. -Ursprungligt meddelande- Från: Niels Dettenbach via Exim-users Skickat: den 5 juli 2021 13:17 Till: Niels Kobschätzki Kopia: exim-users@exim.org Ämne: Re: [exim] Better way to deal with phished users? Am Montag, 5. Juli 2021, 09:04:16 CEST schrieb Niels Kobschätzki: > On 5 Jul 2021, at 7:54, Niels Dettenbach via Exim-users wrote: > Phished users are users from my mail system which are proven regular users > who have their accounts for years and whose credentials got compromised > and are now suddenly used for sending spam- or phishing mails from my mail > system to other systems (and in that special case they are using the > Webmail-interface to send out mails and thus they really look like normal > users from the point of view of the mailing system). > > Thus I want to prevent sending out spam/scam mails from my system to others > (yes I already have diverse counter-measures in place but for the kind > mentioned above they all Gail and I have to intervene manually) ouch, ok. >From my view, the primary way is to force the users to set new credentials (if you really mean access credentials - like passwords). As a network / email operator on the internet, by "netiquette" it is your responsibility to minimize / block abusive traffic from your systems. At least some countries have regulations by law forcing you to do this (at least if you "get aware of"). Until that you may strongly ratelimit or block such users (if you could identify them and if it is possible with your contracts / policies) to avoid harm to others and (not at least) your own email system (reputation etc.). best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ smime.p7s Description: S/MIME Cryptographic Signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 13:06, Niels Dettenbach wrote: > Am Montag, 5. Juli 2021, 09:04:16 CEST schrieb Niels Kobschätzki: >> On 5 Jul 2021, at 7:54, Niels Dettenbach via Exim-users wrote: >> Phished users are users from my mail system which are proven regular users >> who have their accounts for years and whose credentials got compromised >> and are now suddenly used for sending spam- or phishing mails from my mail >> system to other systems (and in that special case they are using the >> Webmail-interface to send out mails and thus they really look like normal >> users from the point of view of the mailing system). >> >> Thus I want to prevent sending out spam/scam mails from my system to others >> (yes I already have diverse counter-measures in place but for the kind >> mentioned above they all Gail and I have to intervene manually) > ouch, > > ok. > > From my view, the primary way is to force the users to set new credentials > (if you really mean access credentials - like passwords). As a network / > email operator on the internet, by "netiquette" it is your responsibility to > minimize / block abusive traffic from your systems. > > At least some countries have regulations by law forcing you to do this (at > least if you "get aware of"). > > Until that you may strongly ratelimit or block such users (if you could > identify them and if it is possible with your contracts / policies) to avoid > harm to others and (not at least) your own email system (reputation etc.). The moment I identify them I lock them out of the system, remove all their mails in the queues and they have to reset their password before they can do anything again. The problem is the identification because you usually get to know it only, when the accounts are actively misused. If I get to know that users where specifically targeted I inform them. And at 2am in the night it might already be too late (you landed yourself on blacklists) - even though you still kick them from the system. Niels K. smime.p7s Description: S/MIME digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error while reading cert or key file
Heiko Schlittermann wrote >> systemctl restart dovecot >Why dovecot? I don't remember why, it was a while ago. Maybe unnecessary. I did know that exim4 re-reads the file and a restart wasn't needed for it. The modulos match as root. But I realised it was important to do it as Debian-exim. I don't have sudo installed but used su -s /bin/bash Debian-exim. (Thanks for listing the exact commands BTW). And the error was fairly obvious. I couldn't read the cert file or the symlink to it. /etc/letsencrypt and its subdirectories live and archive were group executable (750), but the group was root. Changing the group to Debian-exim fixed the problem. The private keys are still (700 root:root) so I trust this hasn't reduced security. Thanks Heiko! Adrian -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 7:48, Heiko Schlittermann via Exim-users wrote: > Hi Niels, > > Niels Kobschätzki via Exim-users (Mo 05 Jul 2021 > 05:40:04 CEST): >> I have again and again problems with phished users. I want to try a new way >> to deal with them but I worry that I mess up parts of our monitoring. > > If you want to try a *new* way, what's the *old* approach? There are diverse measures but for that special case there was none (we noticed that special case when the mailqueue got too high) but recently the problem got really annoying and I want to automate it. Especially when the spammer hits the mail system 2am in the morning. > >> One sign of a phished user (if they do not try to log in from lots of >> different countries) is that they amass in a short time quite some time in >> my mail queue. Thus my idea is to check if there is such a user via my >> monitoring system and when one is detected, there is a handler that will >> freeze that user and all their current mail in the queue. The part of >> detecting the spam-user via their count of mails in the queue is tested and >> already gave us far better reaction times, the hit ratio is like 90% of the >> time it is a spammer, the other times it is a legitimate user with some >> other problem (and mails from users who regularly generate messages like >> spammers by newsletters and such are already automatically moved to another >> mail-server) > > One way to detect phished accounts is by ratelimiting the count of uniqe > addresses the users sends mails to in a given time frame. > > ratelimit = … / per_addr > >> Iirc exim introduced multiple queues a while ago, do I remember correctly? >> Could I move those mails from such a user to a new queue, so that for >> example exim -bpc won’t count them? Or is there a better way than my idea >> above? > > So somewhere in the RCPT acl > > ratelimit = … / per_addr > queue = … > > could to the trick. I didn’t know you could do that kind of rate-limiting. Even though I regularly read the exim-documentation (or parts of it). Thanks I will try that. Niels signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 7:54, Niels Dettenbach via Exim-users wrote: > Am Montag, 5. Juli 2021, 05:40:04 CEST schrieb Niels Kobschätzki via Exim- > users: >> I have again and again problems with phished users. > just my view to this: > > what are "phished users"? Phished users are users from my mail system which are proven regular users who have their accounts for years and whose credentials got compromised and are now suddenly used for sending spam- or phishing mails from my mail system to other systems (and in that special case they are using the Webmail-interface to send out mails and thus they really look like normal users from the point of view of the mailing system). Thus I want to prevent sending out spam/scam mails from my system to others (yes I already have diverse counter-measures in place but for the kind mentioned above they all Gail and I have to intervene manually) Niels smime.p7s Description: S/MIME digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error while reading cert or key file
On Sun, 04 Jul 2021 23:03:47 + u...@net9.ga wrote: >lsattr - list file attributes on a Linux second > extended file system > > I doubt this is the problem, but I have nothing better to offer. Thanks u34 No it doesn't seem related. Lsattr's output for the key and for the target of the cert symlink are --e on the working system and the new one. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Hi Niels,
Niels Kobschätzki via Exim-users (Mo 05 Jul 2021 05:40:04
CEST):
> I have again and again problems with phished users. I want to try a new way
> to deal with them but I worry that I mess up parts of our monitoring.
If you want to try a *new* way, what's the *old* approach?
> One sign of a phished user (if they do not try to log in from lots of
> different countries) is that they amass in a short time quite some time in my
> mail queue. Thus my idea is to check if there is such a user via my
> monitoring system and when one is detected, there is a handler that will
> freeze that user and all their current mail in the queue. The part of
> detecting the spam-user via their count of mails in the queue is tested and
> already gave us far better reaction times, the hit ratio is like 90% of the
> time it is a spammer, the other times it is a legitimate user with some other
> problem (and mails from users who regularly generate messages like spammers
> by newsletters and such are already automatically moved to another
> mail-server)
One way to detect phished accounts is by ratelimiting the count of uniqe
addresses the users sends mails to in a given time frame.
ratelimit = … / per_addr
> Iirc exim introduced multiple queues a while ago, do I remember correctly?
> Could I move those mails from such a user to a new queue, so that for example
> exim -bpc won’t count them? Or is there a better way than my idea above?
So somewhere in the RCPT acl
ratelimit = … / per_addr
queue = …
could to the trick.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Am Montag, 5. Juli 2021, 05:40:04 CEST schrieb Niels Kobschätzki via Exim- users: > I have again and again problems with phished users. just my view to this: what are "phished users"? email addresses are (by idea) no "secrets". "Secreting" mail addresses as a " anti spam measure" is just weird and - as the current "hotmail" spam shows it - widely useless. Minimize spam could and should be the issue of the regarding email isp / admin / hostmasters, independend from how "old" and widely used a email adress is and how open it is shown in the web etc.. These "current" hotmail CC spam in most cases is coming from outlook.com servers (Microsoft) and it is their thing to solve that - if not, their senders get a problem because of a horrible reputation of their email provider. For us, we solved it by giving hotmail.com senders a significant "lower reputation" until Microsoft solves this. just my .02$ niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
