Jeremy Harris wrote:
On 2011-09-26 21:00, Caines, Max wrote:
Hi
We're running rate-limiting based on sender address, which has been
very effective in reducing the consequences of compromised accounts.
Until now, I've been relying on some code on a server that's archiving
Exim logs to recognise the blocking message, and email us once per
sender, but it's not very reliable. Really I'd like to get Exim to
send a notification when someone crosses the threshold for the first
time in, say, a 24-hour period, but I can't see a way to do it. The
rate-limiting's via an ACL, and I don't have Perl embedded, and don't
really have the memory to do so. Anyone got any ideas?
In the over-limit situation, using a second ratelimit to avoid doing it
too often, use ${run ....}
to send your warning mail.
IF you set a flag in an acl_m variable at the point of detection...
(optionally a 'count' or 'time since' value, not just binary..)
AND add an 'unseen' router chained to whatever else is already being
done (temp reject?) that tests said acl_m variable..
THEN that router can perform whatever notification or file-writes it is
told to do.
ELSE not progressing as far as the router, while within the acl, do a
log_message to the panic log instead of main or reject. Ordinarily the
paniclog will be MUCH less verbose - empty, even - hence faster and
easier to parse with your externals, AND more forgiving of being
perodically wiped and started fresh.
ELSEIF using SQL, just INSERT a record to a DB..
We've had 'all of the above' in stable production use for years - just
never with ratelimiting.
HTH,
Bill
--
韓家標
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
