Re: [Exim] Throttling mail from users (stopping DoS attacks)

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Nico Erfurth
Datum:  
To: Douglas Gray Stephens
CC: exim-users
Betreff: Re: [Exim] Throttling mail from users (stopping DoS attacks)
Douglas Gray Stephens wrote:
> Hi,
>
> Recently I had a problem with an individual using a brute force attack
> trying to send a variant of a well known extortion message to hundreds
> of thousands of recipients, e.g. in one connection


....

> A short term fix was to block messages with the specified subject from
> that particular domain.
>
> I am looking at something that stops what could be considered denial
> of service attacks (for the implementation in question, each recipient
> address filtered through to 8 LDAP lookups on an already heavily
> loaded multi-purpose server).
>
> I would like to implement a filter that counts connections (or
> delivery addresses) from a each user (or may be domain), and if there
> were too many messages from a user within a given period, then the
> mail would be rejected.
>
> I realise that some spam filters do operate such algorithms, and so
> can quarantine this type of message, but is is possible to do this
> within exim? (There was a short thread on this topic in 2001:
> http://www.exim.org/mailman/htdig/exim-users/Week-of-Mon-20010319/025140.html
> )


As the message says, exim holds no statistics about how many messages
where send and when, and how and whatever, BUT you can implement this
yourself.

Because you didn't told us which version of exim you use, I will assume
exim 4.12.

An easy way to slow him down is something like this in your ACL

deny message = Stop spamming us
      condition = ${if > {$rcpt_fail_count}{0}{yes}{no}}
      delay = ${eval: $rcpt_fail_count * 30}s


This will delay him for $rcpt_fail_count * 30 seconds per failed RCPT
TO. You should add this acl entry before any extensive checks are done
(like receiver verify).

If you want to hold some info over multiple connections, you can use
${readsocket} and a small perl-server (Net::Server is your friend) to
generate some statistical data for one IP and use this to annoy the
spammer much more :)

Nico