Autor: Alan J. Flavell Data: Dla: Exim users list Temat: [Exim] Drop SMTP from an ACL?
There are some forms of abuse which seem to be readily identifiable in
an ACL and which, if left unchecked, leave a long list of rejection
reports in the log as the abuser grinds their way down a list of SMTP
commands. Typically the perpetrator hides behind a frequently-changed
open proxy.
Some readers may recognise the particular abuse which prompted this
mail, but I'll try to keep the discussion sufficiently general...
(This for exim4).
I'm aware of two ways of avoiding or getting rid of such an SMTP call:
1. Don't allow it in the first place, via a host_reject_connection
However, this needs the host to have been blacklisted first.
2. use exim's smtp rate limiting in such a way that the delays go
above what the abuser is willing to wait for (seems to be 5 minutes or
so) and gives up.
However, this too needs to be set up from the start, so the host needs
to have been blacklisted first, for use in the smtp_ratelimit_hosts
definition.
There clearly is yet another mechanism in exim4 for dropping the call,
as witness e.g
SMTP call from pc15.dhcp.adsl.tpnet.pl (hotmail.com) [217.98.10.15]
dropped: too many unrecognized commands
but this isn't something that can be provoked from an ACL either, is
it?
So: once exim has initially accepted the SMTP call, there doesn't seem
to be any subsequent action that one can take from an ACL, to provoke
a drop of the smtp call, either actively from our end, or passively by
delaying so long that the caller gives up. "deny" just sends 5xx
response for the present command, but the abuser comes straight back
with another, and since it's a valid command (albeit we reject it)
exim just sits tight waiting for the next. And the next.