michael@??? wrote:
>>After getting a few megabytes of "verify failed" messages in my exim3 logs, I
>>set host_reject for the addresses.
>>
>>The attacks are coming from 200.231.206.0/24 (several dozen hosts)
>
>
> I've seen dictionary spam attacks and faked "opt-in" mailing lists,
> that were all but opt-in, in the past as well.
>
> A particular dumb pattern that easily catches your eye is quite common
> among those spammers and blocking them often helps for up to a few
> months, until they change IP networks. Most the time they stay at the
> same provider and just get a new /24.
>
> I allow SMTP connects and use the Exim4 ACL for RCPT to prevent such
> attacks being successful:
>
> deny hosts = /var/exim/etc/reject-smtp
how about something like that
---------------------------------------
acl-part (must be AFTER the recipient verification)
deny condition = ${if and {\
{!eq {} {${lookup {$sender_host_address} dbm {reject.dbm}{$value}}}} \
{> {extract {1}{:}{$value}}{5}} \
} \
}
message = Blocked because of too many tries to send to a non
existing address
---------------------------------------
last router-entry
catch_spammer:
driver = redirect
data = ${run {/etc/exim/add_spammer.pl \
$sender_host_address}{:fail:}{:fail:}}
allow_fail
verify_only
verify_recipient
---------------------------------------
add_spammer.pl
#!/usr/bin/perl -w
use DB_File;
my $ip = $ARGV[0];
my $leasetime = 60*60*24;
# Add some exim-like locking here
tie my %spammers, '/etc/exim/reject.dbm' || die 'UhhUhh';
if (exists $spammers{$ip}) {
my ($count,$time) = split(':',$spammers);
if ($time+$leasetime <= time()) {
$spammers{$ip} = '1:'.time();
} else {
$spammers{$ip} = ++$count . ':' . time();
};
} else {
$spammers{$ip} = '1:'.time();
};
untie %spammers;
----------------------------------------
Proof-Of-Concept, like everytime, totaly untested, and just written down.
ciao
