Re: [Exim] Interesting "attack" on my exim server...

Pàgina inicial
Delete this message
Reply to this message
Autor: Nico Erfurth
Data:  
A: michael, Nico Erfurth
Assumpte: Re: [Exim] Interesting "attack" on my exim server...
michael@??? wrote:
>>After getting a few megabytes of "verify failed" messages in my exim3 logs, I
>>set host_reject for the addresses.
>>
>>The attacks are coming from 200.231.206.0/24 (several dozen hosts)
>
>
> I've seen dictionary spam attacks and faked "opt-in" mailing lists,
> that were all but opt-in, in the past as well.
>
> A particular dumb pattern that easily catches your eye is quite common
> among those spammers and blocking them often helps for up to a few
> months, until they change IP networks. Most the time they stay at the
> same provider and just get a new /24.
>
> I allow SMTP connects and use the Exim4 ACL for RCPT to prevent such
> attacks being successful:
>
>   deny    hosts = /var/exim/etc/reject-smtp


how about something like that

---------------------------------------

acl-part (must be AFTER the recipient verification)
deny condition = ${if and {\
   {!eq {} {${lookup {$sender_host_address} dbm {reject.dbm}{$value}}}} \
   {> {extract {1}{:}{$value}}{5}} \
  } \
}
      message = Blocked because of too many tries to send to a non
existing address


---------------------------------------

last router-entry

catch_spammer:
driver = redirect
data = ${run {/etc/exim/add_spammer.pl \
$sender_host_address}{:fail:}{:fail:}}
allow_fail
verify_only
verify_recipient

---------------------------------------

add_spammer.pl
#!/usr/bin/perl -w

use DB_File;

my $ip = $ARGV[0];
my $leasetime = 60*60*24;

# Add some exim-like locking here

tie my %spammers, '/etc/exim/reject.dbm' || die 'UhhUhh';

if (exists $spammers{$ip}) {
   my ($count,$time) = split(':',$spammers);
   if ($time+$leasetime <= time()) {
     $spammers{$ip} = '1:'.time();
   } else {
     $spammers{$ip} = ++$count . ':' . time();
   };
} else {
   $spammers{$ip} = '1:'.time();
};


untie %spammers;

----------------------------------------

Proof-Of-Concept, like everytime, totaly untested, and just written down.

ciao