Hi Niels, Niels Kobschätzki via Exim-users <[email protected]> (Mo 05 Jul 2021 05:40:04 CEST): > I have again and again problems with phished users. I want to try a new way > to deal with them but I worry that I mess up parts of our monitoring.
If you want to try a *new* way, what's the *old* approach?
> One sign of a phished user (if they do not try to log in from lots of
> different countries) is that they amass in a short time quite some time in my
> mail queue. Thus my idea is to check if there is such a user via my
> monitoring system and when one is detected, there is a handler that will
> freeze that user and all their current mail in the queue. The part of
> detecting the spam-user via their count of mails in the queue is tested and
> already gave us far better reaction times, the hit ratio is like 90% of the
> time it is a spammer, the other times it is a legitimate user with some other
> problem (and mails from users who regularly generate messages like spammers
> by newsletters and such are already automatically moved to another
> mail-server)
One way to detect phished accounts is by ratelimiting the count of uniqe
addresses the users sends mails to in a given time frame.
ratelimit = … / per_addr
> Iirc exim introduced multiple queues a while ago, do I remember correctly?
> Could I move those mails from such a user to a new queue, so that for example
> exim -bpc won’t count them? Or is there a better way than my idea above?
So somewhere in the RCPT acl
ratelimit = … / per_addr
queue = …
could to the trick.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
