Re: [exim] Better way to deal with phished users?
Niels Kobschätzki via Exim-users (Mo 05 Jul 2021 14:00:02 CEST): > > > > ...beside exims "ratelimiting" (which is just lowering the impact at the > > cost > > of all users) > > actually depending on how the rate limiting works it doesn’t impact all users > and I can whitelist users that are legitimate but would be hit by the > rate-limiting. I think, if you follow the initial suggestion, limiting the pure number of distinct addresses per interval, the impact should be relativly low. Users sending tons of mails to the same destination are not impacted, users sending a newsletter to a ton of destinations are not impacted, if you choose a well balanced rate (e.g. for Exim's ratelimit "engine" it's a subtle difference between 60/1m and 3600/1h. And, as the ratlimit condition is expanded, you can do what ever your creativity dictates (e.g. lookup the limits in a database). -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 05/07/2021 17:21, Cyborg via Exim-users wrote: that transport filter can so anything you like, i.e. counting the number of mails per timeframe per authid and block the ip, disable the account, clear the messagequeue and it also can technically, blank the actual message, so it's not spam anymore ;) It's not what transport filters are used for normally, but i think, it would do the trick. Overkill. Use an ACL expansion in a condition on the router, which can do a ratelimit test/modify and control whether the router triggers. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Am 05.07.21 um 14:42 schrieb Niels Kobschätzki: I want to automate the acting upon it. This is about damage mitigation when the preventive measures didn’t help. How about: remote_smtp: driver = smtp .include_if_exists /etc/exim/ip.conf transport_filter = '/usr/local/sbin/count-script.pl' '$sender_host_address' '$authenticated_id' ... options ... tls_tempfail_tryclear = false that transport filter can so anything you like, i.e. counting the number of mails per timeframe per authid and block the ip, disable the account, clear the messagequeue and it also can technically, blank the actual message, so it's not spam anymore ;) It's not what transport filters are used for normally, but i think, it would do the trick. All you need to make sure is, that STDIN goes untampered to STDOUT, in case the message is fine. It may drop the server performance a bit on high traffic systems... best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 15:09, Heiko Schlittermann via Exim-users wrote: > Niels Kobschätzki (Mo 05 Jul 2021 13:54:47 CEST): >> >>> addresses the users sends mails to in a given time frame. >>> >>> ratelimit = … / per_addr >> >> According to the documentation: “The per_addr option is like the per_rcpt >> option, except it counts the number of different recipients that **the >> client** has sent messages to in the last time period.” >> What is a client? Does sending 10 mails with 50 recipients each from one >> sender with like a webmailer count like 500 addresses or like 10x 50 >> addresses because there will probably always be a new connect? > > It depends on you, what you use as a key for counting. > > ratelimit = 300 / 1d / per_addr / $authenticated_id > > Untested! But I'm sure you got the idea :) Oh - that should work. That wasn’t clear for me from the documentation. Thanks, Niels signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Niels Kobschätzki (Mo 05 Jul 2021 13:54:47 CEST): > > > addresses the users sends mails to in a given time frame. > > > > ratelimit = … / per_addr > > According to the documentation: “The per_addr option is like the per_rcpt > option, except it counts the number of different recipients that **the > client** has sent messages to in the last time period.” > What is a client? Does sending 10 mails with 50 recipients each from one > sender with like a webmailer count like 500 addresses or like 10x 50 > addresses because there will probably always be a new connect? It depends on you, what you use as a key for counting. ratelimit = 300 / 1d / per_addr / $authenticated_id Untested! But I'm sure you got the idea :) -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 14:00, Cyborg via Exim-users wrote: Am 05.07.21 um 13:19 schrieb Niels Kobschätzki via Exim-users: The problem is the identification because you usually get to know it only, when the accounts are actively misused. If I get to know that users where specifically targeted I inform them. And at 2am in the night it might already be too late (you landed yourself on blacklists) - even though you still kick them from the system. If you don't wanne use a form of 2FA, it could be impossible to identify hacked accounts before they spam. The nature of a hacked account is, that the attacker has obtained the credentials from a PC and it's mailprogram oder via phising. In both cases, they have a valid set of credentials, do not produce any login error ( bruteforcing ) and their first login is most likely the moment they start spamming. A 2FA could add the IP to a database(file) and you only accept mails from ips in this list + credentials. The 2FA could be a Website to login or an android app. I know that I can only detect them after the fact - actually after they started and I can act on it then. I want to automate the acting upon it. This is about damage mitigation when the preventive measures didn’t help. Niels -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
For webmail just force TOTP. Solves all problems except users that are abusive themselves. Originalmeddelande Från: Niels Dettenbach via Exim-users Datum: 2021-07-05 13:40 (GMT+01:00) Till: Niels Kobschätzki Kopia: exim-users@exim.org Ämne: Re: [exim] Better way to deal with phished users? Am Montag, 5. Juli 2021, 13:19:45 CEST schrieb Niels Kobschätzki:> The moment I identify them I lock them out of the system, remove all their> mails in the queues and they have to reset their password before they can> do anything again. The problem is the identification because you usually> get to know it only, when the accounts are actively misused. If I get to> know that users where specifically targeted I inform them. And at 2am in> the night it might already be too late (you landed yourself on blacklists)> - even though you still kick them from the systembeside exims "ratelimiting" (which is just lowering the impact at the cost of all users) - is there any way to monitor the webmail webserver or application logs from your webmail system (most known webmail solutions do/allow some way to log with "username")? If someone sends out hundreds of mails per hour per webmail, this is probably bot behaviour (fail2ban or similiat tools may help then reacting with "some command")...just as an idea...niels.-- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users## Exim details at http://www.exim.org/## Please use the Wiki with this list - http://wiki.exim.org/ smime.p7s Description: S/MIME Cryptographic Signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 7:48, Heiko Schlittermann via Exim-users wrote: > Hi Niels, > > Niels Kobschätzki via Exim-users (Mo 05 Jul 2021 > 05:40:04 CEST): >> I have again and again problems with phished users. I want to try a new way >> to deal with them but I worry that I mess up parts of our monitoring. > > If you want to try a *new* way, what's the *old* approach? > >> One sign of a phished user (if they do not try to log in from lots of >> different countries) is that they amass in a short time quite some time in >> my mail queue. Thus my idea is to check if there is such a user via my >> monitoring system and when one is detected, there is a handler that will >> freeze that user and all their current mail in the queue. The part of >> detecting the spam-user via their count of mails in the queue is tested and >> already gave us far better reaction times, the hit ratio is like 90% of the >> time it is a spammer, the other times it is a legitimate user with some >> other problem (and mails from users who regularly generate messages like >> spammers by newsletters and such are already automatically moved to another >> mail-server) > > One way to detect phished accounts is by ratelimiting the count of uniqe > addresses the users sends mails to in a given time frame. > > ratelimit = … / per_addr According to the documentation: “The per_addr option is like the per_rcpt option, except it counts the number of different recipients that **the client** has sent messages to in the last time period.” What is a client? Does sending 10 mails with 50 recipients each from one sender with like a webmailer count like 500 addresses or like 10x 50 addresses because there will probably always be a new connect? Best, Niels signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 13:25, Niels Dettenbach via Exim-users wrote: > Am Montag, 5. Juli 2021, 13:19:45 CEST schrieb Niels Kobschätzki: >> The moment I identify them I lock them out of the system, remove all their >> mails in the queues and they have to reset their password before they can >> do anything again. The problem is the identification because you usually >> get to know it only, when the accounts are actively misused. If I get to >> know that users where specifically targeted I inform them. And at 2am in >> the night it might already be too late (you landed yourself on blacklists) >> - even though you still kick them from the system. > > ...beside exims "ratelimiting" (which is just lowering the impact at the cost > of all users) actually depending on how the rate limiting works it doesn’t impact all users and I can whitelist users that are legitimate but would be hit by the rate-limiting. > - is there any way to monitor the webmail webserver or > application logs from your webmail system (most known webmail solutions do/ > allow some way to log with "username")? If someone sends out hundreds of > mails per hour per webmail, this is probably bot behaviour (fail2ban or > similiat tools may help then reacting with "some command")... > > just as an idea... Unfortunately that’s not so easy because you would need to extend the webmail-software with a plug-in so that the webmailer is actually aware of something like this. And 500 mails with 1 address and 10 mails with 50 addresses would be probably something different for the webmailer. There are some parts on the webmail-side where you can make things harder depending on the webmailer. Niels smime.p7s Description: S/MIME digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Am 05.07.21 um 13:19 schrieb Niels Kobschätzki via Exim-users: The problem is the identification because you usually get to know it only, when the accounts are actively misused. If I get to know that users where specifically targeted I inform them. And at 2am in the night it might already be too late (you landed yourself on blacklists) - even though you still kick them from the system. If you don't wanne use a form of 2FA, it could be impossible to identify hacked accounts before they spam. The nature of a hacked account is, that the attacker has obtained the credentials from a PC and it's mailprogram oder via phising. In both cases, they have a valid set of credentials, do not produce any login error ( bruteforcing ) and their first login is most likely the moment they start spamming. A 2FA could add the IP to a database(file) and you only accept mails from ips in this list + credentials. The 2FA could be a Website to login or an android app. I i.e. used something different: an ip-account-timeframe threshold to detect botnets, which kicks them reliable at 2 AM before they can spam ;) Best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Am Montag, 5. Juli 2021, 13:19:45 CEST schrieb Niels Kobschätzki: > The moment I identify them I lock them out of the system, remove all their > mails in the queues and they have to reset their password before they can > do anything again. The problem is the identification because you usually > get to know it only, when the accounts are actively misused. If I get to > know that users where specifically targeted I inform them. And at 2am in > the night it might already be too late (you landed yourself on blacklists) > - even though you still kick them from the system. ...beside exims "ratelimiting" (which is just lowering the impact at the cost of all users) - is there any way to monitor the webmail webserver or application logs from your webmail system (most known webmail solutions do/ allow some way to log with "username")? If someone sends out hundreds of mails per hour per webmail, this is probably bot behaviour (fail2ban or similiat tools may help then reacting with "some command")... just as an idea... niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Am Montag, 5. Juli 2021, 09:04:16 CEST schrieb Niels Kobschätzki: > On 5 Jul 2021, at 7:54, Niels Dettenbach via Exim-users wrote: > Phished users are users from my mail system which are proven regular users > who have their accounts for years and whose credentials got compromised > and are now suddenly used for sending spam- or phishing mails from my mail > system to other systems (and in that special case they are using the > Webmail-interface to send out mails and thus they really look like normal > users from the point of view of the mailing system). > > Thus I want to prevent sending out spam/scam mails from my system to others > (yes I already have diverse counter-measures in place but for the kind > mentioned above they all Gail and I have to intervene manually) ouch, ok. >From my view, the primary way is to force the users to set new credentials (if you really mean access credentials - like passwords). As a network / email operator on the internet, by "netiquette" it is your responsibility to minimize / block abusive traffic from your systems. At least some countries have regulations by law forcing you to do this (at least if you "get aware of"). Until that you may strongly ratelimit or block such users (if you could identify them and if it is possible with your contracts / policies) to avoid harm to others and (not at least) your own email system (reputation etc.). best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
The problem is that passwords are insecure. Its much better to lock accounts to countries or even individual ISPs, offices or IPs. SMTP and IMAP doesn't have good support for OTP and other secure authentication methods, so a good idea is to "enhance" the security by locking accounts to countries. If users travel, they have to contact customer support. If you COULD force the end users to always use webmail, you can add TOTP to that and make things like 100x more secure. Another way to increase security is to add the latest IP of the latest webmail login (with TOTP) to database, and if users want to use imap/smtp, everytime they change country or ISP or ASN or similar, they have to login to webmail once to "reenable access". Try to come up with something like that, because passwords are horribly insecure, and its not many clients that support for example client certificates. -Ursprungligt meddelande- Från: Niels Dettenbach via Exim-users Skickat: den 5 juli 2021 13:17 Till: Niels Kobschätzki Kopia: exim-users@exim.org Ämne: Re: [exim] Better way to deal with phished users? Am Montag, 5. Juli 2021, 09:04:16 CEST schrieb Niels Kobschätzki: > On 5 Jul 2021, at 7:54, Niels Dettenbach via Exim-users wrote: > Phished users are users from my mail system which are proven regular users > who have their accounts for years and whose credentials got compromised > and are now suddenly used for sending spam- or phishing mails from my mail > system to other systems (and in that special case they are using the > Webmail-interface to send out mails and thus they really look like normal > users from the point of view of the mailing system). > > Thus I want to prevent sending out spam/scam mails from my system to others > (yes I already have diverse counter-measures in place but for the kind > mentioned above they all Gail and I have to intervene manually) ouch, ok. >From my view, the primary way is to force the users to set new credentials (if you really mean access credentials - like passwords). As a network / email operator on the internet, by "netiquette" it is your responsibility to minimize / block abusive traffic from your systems. At least some countries have regulations by law forcing you to do this (at least if you "get aware of"). Until that you may strongly ratelimit or block such users (if you could identify them and if it is possible with your contracts / policies) to avoid harm to others and (not at least) your own email system (reputation etc.). best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ smime.p7s Description: S/MIME Cryptographic Signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 13:06, Niels Dettenbach wrote: > Am Montag, 5. Juli 2021, 09:04:16 CEST schrieb Niels Kobschätzki: >> On 5 Jul 2021, at 7:54, Niels Dettenbach via Exim-users wrote: >> Phished users are users from my mail system which are proven regular users >> who have their accounts for years and whose credentials got compromised >> and are now suddenly used for sending spam- or phishing mails from my mail >> system to other systems (and in that special case they are using the >> Webmail-interface to send out mails and thus they really look like normal >> users from the point of view of the mailing system). >> >> Thus I want to prevent sending out spam/scam mails from my system to others >> (yes I already have diverse counter-measures in place but for the kind >> mentioned above they all Gail and I have to intervene manually) > ouch, > > ok. > > From my view, the primary way is to force the users to set new credentials > (if you really mean access credentials - like passwords). As a network / > email operator on the internet, by "netiquette" it is your responsibility to > minimize / block abusive traffic from your systems. > > At least some countries have regulations by law forcing you to do this (at > least if you "get aware of"). > > Until that you may strongly ratelimit or block such users (if you could > identify them and if it is possible with your contracts / policies) to avoid > harm to others and (not at least) your own email system (reputation etc.). The moment I identify them I lock them out of the system, remove all their mails in the queues and they have to reset their password before they can do anything again. The problem is the identification because you usually get to know it only, when the accounts are actively misused. If I get to know that users where specifically targeted I inform them. And at 2am in the night it might already be too late (you landed yourself on blacklists) - even though you still kick them from the system. Niels K. smime.p7s Description: S/MIME digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 7:48, Heiko Schlittermann via Exim-users wrote: > Hi Niels, > > Niels Kobschätzki via Exim-users (Mo 05 Jul 2021 > 05:40:04 CEST): >> I have again and again problems with phished users. I want to try a new way >> to deal with them but I worry that I mess up parts of our monitoring. > > If you want to try a *new* way, what's the *old* approach? There are diverse measures but for that special case there was none (we noticed that special case when the mailqueue got too high) but recently the problem got really annoying and I want to automate it. Especially when the spammer hits the mail system 2am in the morning. > >> One sign of a phished user (if they do not try to log in from lots of >> different countries) is that they amass in a short time quite some time in >> my mail queue. Thus my idea is to check if there is such a user via my >> monitoring system and when one is detected, there is a handler that will >> freeze that user and all their current mail in the queue. The part of >> detecting the spam-user via their count of mails in the queue is tested and >> already gave us far better reaction times, the hit ratio is like 90% of the >> time it is a spammer, the other times it is a legitimate user with some >> other problem (and mails from users who regularly generate messages like >> spammers by newsletters and such are already automatically moved to another >> mail-server) > > One way to detect phished accounts is by ratelimiting the count of uniqe > addresses the users sends mails to in a given time frame. > > ratelimit = … / per_addr > >> Iirc exim introduced multiple queues a while ago, do I remember correctly? >> Could I move those mails from such a user to a new queue, so that for >> example exim -bpc won’t count them? Or is there a better way than my idea >> above? > > So somewhere in the RCPT acl > > ratelimit = … / per_addr > queue = … > > could to the trick. I didn’t know you could do that kind of rate-limiting. Even though I regularly read the exim-documentation (or parts of it). Thanks I will try that. Niels signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 7:54, Niels Dettenbach via Exim-users wrote: > Am Montag, 5. Juli 2021, 05:40:04 CEST schrieb Niels Kobschätzki via Exim- > users: >> I have again and again problems with phished users. > just my view to this: > > what are "phished users"? Phished users are users from my mail system which are proven regular users who have their accounts for years and whose credentials got compromised and are now suddenly used for sending spam- or phishing mails from my mail system to other systems (and in that special case they are using the Webmail-interface to send out mails and thus they really look like normal users from the point of view of the mailing system). Thus I want to prevent sending out spam/scam mails from my system to others (yes I already have diverse counter-measures in place but for the kind mentioned above they all Gail and I have to intervene manually) Niels smime.p7s Description: S/MIME digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Hi Niels,
Niels Kobschätzki via Exim-users (Mo 05 Jul 2021 05:40:04
CEST):
> I have again and again problems with phished users. I want to try a new way
> to deal with them but I worry that I mess up parts of our monitoring.
If you want to try a *new* way, what's the *old* approach?
> One sign of a phished user (if they do not try to log in from lots of
> different countries) is that they amass in a short time quite some time in my
> mail queue. Thus my idea is to check if there is such a user via my
> monitoring system and when one is detected, there is a handler that will
> freeze that user and all their current mail in the queue. The part of
> detecting the spam-user via their count of mails in the queue is tested and
> already gave us far better reaction times, the hit ratio is like 90% of the
> time it is a spammer, the other times it is a legitimate user with some other
> problem (and mails from users who regularly generate messages like spammers
> by newsletters and such are already automatically moved to another
> mail-server)
One way to detect phished accounts is by ratelimiting the count of uniqe
addresses the users sends mails to in a given time frame.
ratelimit = … / per_addr
> Iirc exim introduced multiple queues a while ago, do I remember correctly?
> Could I move those mails from such a user to a new queue, so that for example
> exim -bpc won’t count them? Or is there a better way than my idea above?
So somewhere in the RCPT acl
ratelimit = … / per_addr
queue = …
could to the trick.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Am Montag, 5. Juli 2021, 05:40:04 CEST schrieb Niels Kobschätzki via Exim- users: > I have again and again problems with phished users. just my view to this: what are "phished users"? email addresses are (by idea) no "secrets". "Secreting" mail addresses as a " anti spam measure" is just weird and - as the current "hotmail" spam shows it - widely useless. Minimize spam could and should be the issue of the regarding email isp / admin / hostmasters, independend from how "old" and widely used a email adress is and how open it is shown in the web etc.. These "current" hotmail CC spam in most cases is coming from outlook.com servers (Microsoft) and it is their thing to solve that - if not, their senders get a problem because of a horrible reputation of their email provider. For us, we solved it by giving hotmail.com senders a significant "lower reputation" until Microsoft solves this. just my .02$ niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Better way to deal with phished users?
Hi, I have again and again problems with phished users. I want to try a new way to deal with them but I worry that I mess up parts of our monitoring. One sign of a phished user (if they do not try to log in from lots of different countries) is that they amass in a short time quite some time in my mail queue. Thus my idea is to check if there is such a user via my monitoring system and when one is detected, there is a handler that will freeze that user and all their current mail in the queue. The part of detecting the spam-user via their count of mails in the queue is tested and already gave us far better reaction times, the hit ratio is like 90% of the time it is a spammer, the other times it is a legitimate user with some other problem (and mails from users who regularly generate messages like spammers by newsletters and such are already automatically moved to another mail-server) The freezing will give the administrators time to check if it is spam or not (like 30 mails all with a big alphabetical list going to one domain like hotmail.com) and then handle it as we usually handle those cases. Our timeout_after_frozen-timeout is currently rather short (5 minutes) and I wonder if I increase it like to 16hours (enough time to check on a user, even when it happens late in the evening on a saturday and you don’t want to check on a sunday morning first thing) there will be new problems coming up. Like frozen messages living in my queue and mess up my monitoring like the amount of mails in the queue. Iirc exim introduced multiple queues a while ago, do I remember correctly? Could I move those mails from such a user to a new queue, so that for example exim -bpc won’t count them? Or is there a better way than my idea above? Best, Niels smime.p7s Description: S/MIME cryptographic signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
