Re: 5xx during / after DATA [was Re: [Exim] bouncing viruses…

Top Page
Delete this message
Reply to this message
Author: Suresh Ramasubramanian
Date:  
To: Alexander Sabourenkov
CC: exim-users
Subject: Re: 5xx during / after DATA [was Re: [Exim] bouncing viruses]
At 03:17 PM 2/18/2003 +0300, Alexander Sabourenkov wrote:

>>Domains / IPs which are noted doing this escalate from our access.db /
>>rbldns to our firewall deny lists.
>
>Then I suppose you shouldn't have problems with dumb clients retrying after
>550 to end of data, as they'll eventually will find themselves outright
>blocked,
>if I understood you.


It is the part before the "eventually" happens that is the problem.

Stupid mailservers (or spammer configured mailservers) can put a huge
strain on our mailservers before they get noticed, sometimes.

So, we look for spam strings (spamware signature) in the headers, 5xx the
mail and drop the connection.


>Wandering off into realms of fantasy, one could come up with a wicked
>method to
>fingerprint messages (or relay attempts) by, say, originating IP(s),
>HELO/EHLO parameters,
>sender and recipient, to use that for temporary blocks.


What we do instead is parse our logs for stuff like suspect HELO / EHLO
strings (like where someone sends us HELO our.domain.name, HELO
a.cname.on.our.domain.name, HELO one.of.our.ips, HELO TmpStr, etc), and
block IPs sending us this sort of stuff.

Most if not all of the cases so far are -

* Open proxies

* Hacked servers

* Trojan / virus infected servers hammering away at us trying to deliver
their payloads

Once in a while, it does turn out that what we block is a NAT gateway
behind which this issue originates ...

         srs