Re: [Exim] Re: dictionary attacks

Alan J. Flavell wrote:

> Already in 4.10 I see that we have $rcpt_count and $recipients_count
> available in ACLs, and I kind-of reasoned that if $rcpt_count had
> reached, say, 4, and no (or perhaps at most 1) valid recipient address
> had been achieved, then this was probably another dictionary scan
> episode. Seem reasonable?
>
> Of course at this point there's no use simply issuing a "deny",
> because the smtp call stays up and the caller simply continues with
> their merry scan. So instead I would run a sequence of /bin/sleep 59
> for long enough (six seems to be enough) for the caller to give up.
> Something like:

Check the archive threads from last week entitled "Basic Teergrubing...", where
we discussed (among other things) this very topic. With Exim 4.11 there is a
much simpler way to do this that doesn't require running external programs.