Any comments on the following?
Cambridge University has pretty good email security, but even so we have a couple of incidents each year when a security breach results in a flood of spam from our network. In order to protect against this in the future, we needed a system for throttling these floods before they cause damage, such as Cambridge being blacklisted by AOL.
I implemented a general-purpose rate-limiting facility for Exim 4.52. It is extremely flexible and allows you to specify almost any policy you want. It can measure the rate of messages, recipients, SMTP commands, or bytes of data from a particular sender; and senders can be identified by IP address, authenticated username, or almost anything else.
I deployed this facility on the central email systems in Cambridge. It ran in logging-only mode for several weeks while I tuned the policy to mimimize the disruption to legitimate email. This exposed the slightly surprising extent of bulk email usage in the University, and a number of particularly problematic cases. An important task was to communicate the change in policy to less technical users.
I will describe Exim's ratelimit facility and report on our deployment experiences.