Re: [Exim] Re: dictionary attacks

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Giuliano Gavazzi
Date:  
À: Kevin P. Fleming, Alan J. Flavell
CC: exim-users@exim.org
Sujet: Re: [Exim] Re: dictionary attacks
At 21:05 +0000 2002/12/18, Alan J. Flavell wrote:
[...]
>Already in 4.10 I see that we have $rcpt_count and $recipients_count
>available in ACLs, and I kind-of reasoned that if $rcpt_count had
>reached, say, 4, and no (or perhaps at most 1) valid recipient address
>had been achieved, then this was probably another dictionary scan
>episode. Seem reasonable?



Too reasonable. 1 out of 3 is already too little. More generally,
more than 1 wrong recipient is clearly spam or other sort of
unhealthy activity.


At 15:50 -0700 2002/12/18, Kevin P. Fleming wrote:
>Alan J. Flavell wrote:
>
>>wait, so that they drop the call. If there was an ACL command to exim
>>to tell it to unceremoniously drop the call, then I think that would
>>be just as effective (especially if taken in conjunction with a
>>blacklist that refuses further SMTP calls from that IP).
>
>4.12 also has a drop modifier, that causes the TCP connection to be dropped
>"unceremoniously" :-) So you can do this today, without tying up resources on
>your server with idle connections waiting for the caller to disconnect.
>



the drop command is present in 4.11 (if you don't want to upgrade):

142. Added extra features to ACLs: the "drop" and "defer" verbs, and the
      "delay" and "control" modifiers (the latter with "freeze" and
      "queue_only").


Giuliano
--
H U M P H
    || |||
  software


Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/