On Thu, Mar 09, 2023 at 04:47:32PM +0100, Olaf Hopp (SCC) via Exim-users wrote:
> Dear list,
> we want to ratelimit incomming mail bursts (e.g. due
> to phishing attacks).
> To get an idea of reasonable values I have
>
> warn
> ratelimit = 100 / 60s / strict / $sender_address
> log_message = RATELIMIT EXCEEDED for $sender_address $sender_rate
> messages / $sender_rate_period
>
> But when the mail has two or more recipients this is also just counted as one
> mail
Probably something like that would work:
defer
condition = ${if !eq{$sender_address}{$acl_c_sender_seen}}
ratelimit = 100 / 60s / strict / $sender_address
log_message = RATELIMIT EXCEEDED for $sender_address ...
warn
set acl_c_sender_seen = $sender_address
Not tested.
--
Eugene Berdnikov
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
