I am watching my email gateway blackhole spam messages using spamassassin - anything over a specific score.
Right now, it is dropping around 3 per second. This is great, but I would prefer the spam wasn't using up so much of the incoming capacity.
I am wondering if I can create a dynamic rule that will track the mount of blackholed emails coming from a specific IP address and throttle them if it exceeds a value, for a period of time.
I could do this with iptables, but would prefer to issue an SMTP 4xx code so they retry later - this is because gmail.com seems to be the source of some of this spam, and I want to accept email from gmail in general.
So before I go scripting something to do all this for me, is there a straightforward way?
Exim ACLs have a
ratelimit
condition. See http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#SECTratelimiting for more details.For Gmail in particular, score the IPs individually, much like you would for any sender, instead of trying to lump the reputation of all of the IPs together. Large mail providers classify their outbound mail by their confidence score in how hammy or spammy it is; because they have no inbox feedback loop and no "spam folder" for outbound mail, their options are to block the mail outright, or classify it. Then they'll have a set of IPs handling "regular mail which looks legit", then other IPs for mails which are "this might be spam, but we're not sure". So as long as you filter by IP instead of by netblock, you should be okay delaying mail from their maybe-spam-outbound IPs.