If that is really what you want to block, that is a dictionary attack
on a single connection, you could use a very simple rule in your rcpt
acl, that is disconnect at the RCPT TO after the second failed local
user.
drop message = Too many bad recipients ${eval:$rcpt_fail_count}
out of $rcpt_count
condition = ${if = {${eval:$rcpt_fail_count}}{1}{yes}{no}}
this will save you from the burden of the repeated local user checking.
Since most server will insist after a drop, you could insted insert a
delay (and a deny) after two bad recipients.
deny message = Too many bad recipients ${eval:$rcpt_fail_count} out
of $rcpt_count
condition = ${if = {${eval:$rcpt_fail_count}}{1}{yes}{no}}
delay = 3m
Of course this will still deliver the email to local users that were
accepted before the deny entered into effect, but you can still grab
those email at data acl.
Giuliano
At 9:27 +0000 2003/02/05, Douglas Gray Stephens wrote:
>Hi,
>
>Recently I had a problem with an individual using a brute force attack
>trying to send a variant of a well known extortion message to hundreds
>of thousands of recipients, e.g. in one connection
> amvv@[my-domain]
[...]
> amwr@[my-domain]
>
>A short term fix was to block messages with the specified subject from
>that particular domain.
>
>I am looking at something that stops what could be considered denial
>of service attacks (for the implementation in question, each recipient
>address filtered through to 8 LDAP lookups on an already heavily
>loaded multi-purpose server).
>
>I would like to implement a filter that counts connections (or
>delivery addresses) from a each user (or may be domain), and if there
>were too many messages from a user within a given period, then the
>mail would be rejected.
>
>I realise that some spam filters do operate such algorithms, and so
>can quarantine this type of message, but is is possible to do this
>within exim? (There was a short thread on this topic in 2001:
> http://www.exim.org/mailman/htdig/exim-users/Week-of-Mon-20010319/025140.html
>)
