Mailing List Archive: exim: users

Notification of ratelimits being exceeded?

Index | Next | Previous | View Threaded

Max.Caines at wlv

Sep 26, 2011, 1:00 PM

Post #1 of 5 (416 views)
Permalink

Notification of ratelimits being exceeded?

Hi

We're running rate-limiting based on sender address, which has been very effective in reducing the consequences of compromised accounts. Until now, I've been relying on some code on a server that's archiving Exim logs to recognise the blocking message, and email us once per sender, but it's not very reliable. Really I'd like to get Exim to send a notification when someone crosses the threshold for the first time in, say, a 24-hour period, but I can't see a way to do it. The rate-limiting's via an ACL, and I don't have Perl embedded, and don't really have the memory to do so. Anyone got any ideas?

Thanks

Max Caines
University of Wolverhampton

--
Scanned by iCritical.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

jgh at wizmail

Sep 26, 2011, 1:15 PM

Post #2 of 5 (410 views)
Permalink

Re: Notification of ratelimits being exceeded? [In reply to]

On 2011-09-26 21:00, Caines, Max wrote:
> Hi
>
> We're running rate-limiting based on sender address, which has been very effective in reducing the consequences of compromised accounts. Until now, I've been relying on some code on a server that's archiving Exim logs to recognise the blocking message, and email us once per sender, but it's not very reliable. Really I'd like to get Exim to send a notification when someone crosses the threshold for the first time in, say, a 24-hour period, but I can't see a way to do it. The rate-limiting's via an ACL, and I don't have Perl embedded, and don't really have the memory to do so. Anyone got any ideas?

In the over-limit situation, using a second ratelimit to avoid doing it too often, use ${run ....}
to send your warning mail.
--
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbh at conducive

Sep 26, 2011, 2:14 PM

Post #3 of 5 (411 views)
Permalink

Re: Notification of ratelimits being exceeded? [In reply to]

Jeremy Harris wrote:
> On 2011-09-26 21:00, Caines, Max wrote:
>> Hi
>>
>> We're running rate-limiting based on sender address, which has been
>> very effective in reducing the consequences of compromised accounts.
>> Until now, I've been relying on some code on a server that's archiving
>> Exim logs to recognise the blocking message, and email us once per
>> sender, but it's not very reliable. Really I'd like to get Exim to
>> send a notification when someone crosses the threshold for the first
>> time in, say, a 24-hour period, but I can't see a way to do it. The
>> rate-limiting's via an ACL, and I don't have Perl embedded, and don't
>> really have the memory to do so. Anyone got any ideas?
>
> In the over-limit situation, using a second ratelimit to avoid doing it
> too often, use ${run ....}
> to send your warning mail.

IF you set a flag in an acl_m variable at the point of detection...

(optionally a 'count' or 'time since' value, not just binary..)

AND add an 'unseen' router chained to whatever else is already being
done (temp reject?) that tests said acl_m variable..

THEN that router can perform whatever notification or file-writes it is
told to do.

ELSE not progressing as far as the router, while within the acl, do a
log_message to the panic log instead of main or reject. Ordinarily the
paniclog will be MUCH less verbose - empty, even - hence faster and
easier to parse with your externals, AND more forgiving of being
perodically wiped and started fresh.

ELSEIF using SQL, just INSERT a record to a DB..

We've had 'all of the above' in stable production use for years - just
never with ratelimiting.

HTH,

Bill
--
韓家標

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

eximX0902w at linuxwan

Sep 26, 2011, 3:06 PM

Post #4 of 5 (414 views)
Permalink

Re: Notification of ratelimits being exceeded? [In reply to]

On 27/09/11 06:00, Caines, Max wrote:
> We're running rate-limiting based on sender address, which has been
> very effective in reducing the consequences of compromised accounts.
> Until now, I've been relying on some code on a server that's
> archiving Exim logs to recognise the blocking message, and email us
> once per sender, but it's not very reliable. Really I'd like to get
> Exim to send a notification when someone crosses the threshold for
> the first time in, say, a 24-hour period, but I can't see a way to do
> it. The rate-limiting's via an ACL, and I don't have Perl embedded,
> and don't really have the memory to do so. Anyone got any ideas?

Use a "continue" verb? (action? wtb term to use here) on your existing
ACL block to both check for the existence of a flag file on the system
specific to that user, and if it's not present, ${run} something that
creates the file and sends an email. (pid & file lock on the program
that runs to prevent it running more than once)

Use a cron script to check the state directory every N and expire any
files that are more then N hours/minutes/seconds old. Basically, however
long you want between being notified.

Use more than one ratelimit to have greater notification granularity.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Lena at lena

Sep 27, 2011, 4:55 AM

Post #5 of 5 (398 views)
Permalink

Re: Notification of ratelimits being exceeded? [In reply to]

> From: "Caines, Max"

> We're running rate-limiting based on sender address, which has been
> very effective in reducing the consequences of compromised accounts.
> Until now, I've been relying on some code on a server that's
> archiving Exim logs to recognise the blocking message, and email us
> once per sender, but it's not very reliable.

Below - automatic blocking of compromised accounts, with email notification.
Compromised accounts are used to send spam.
Lists of email addresses spammers send to
contain very many nonexistent email addresses.
The code below checks rate of sending to nonexistent recipients
and automatically blocks the account if rate exceeds limit.
Note that it's limit of nonexistent recipients, not total recipients.

LIM = 100
PERIOD = 1h
WARNTO = abuse [at] example
EXIMBINARY = /usr/local/sbin/exim -f root
SHELL = /bin/sh
local_from_check = false
...
acl_check_rcpt:
...
accept hosts = !@[] : +relay_from_hosts
set acl_m_user = $sender_host_address
# or an userid from RADIUS
condition = ${if exists{$spool_directory/blocked_relay_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_relay_users}{1}{0}}
control = freeze/no_tell
add_header = X-Relayed-From: $acl_m_user

accept hosts = !@[] : +relay_from_hosts
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_relay_users; \
\N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
because has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | EXIMBINARY WARNTO"}}
control = freeze/no_tell
add_header = X-Relayed-From: $acl_m_user

accept hosts = +relay_from_hosts
control = submission/domain=

accept authenticated = *
set acl_m_user = $authenticated_id
# in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
condition = ${if exists{$spool_directory/blocked_authenticated_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_authenticated_users}{1}{0}}
control = freeze/no_tell
add_header = X-Authenticated-As: $acl_m_user

accept authenticated = *
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_authenticated_users; \
\N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | EXIMBINARY WARNTO"}}
control = freeze/no_tell
add_header = X-Authenticated-As: $acl_m_user

accept authenticated = *
control = submission/domain=

When you get a notification, examine content of frozen messages in the queue
using `exipick`. In unlikely case if it's not spam, delete the line
with the user ID from the $spool_directory/blocked_relay_users or
$spool_directory/blocked_authenticated_users file
(or you can delete the file if it contains only one line)
and unfreeze messages also using `exipick`.
If it's spam then change the user's password or otherwise block the user,
then fine the user according to contract and using frozen evidence.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads