Re: [Exim] Checking Unknown Local Parts & De-Routing

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Alan J. Flavell
Datum:  
To: Exim users list
Betreff: Re: [Exim] Checking Unknown Local Parts & De-Routing
On Wed, 19 Feb 2003, Scott Stavretis wrote:

> I want to do a simple thing to help stop against spam attackers that send
> e-mail to random generic names to mail servers, which cause both bandwidth
> load and server load as well as annoy many users that they successfully
> guess.


Search the mailing list archive for "dictionary scan" or "dictionary
attacks".

This thread for example
http://www.exim.org/mailman/htdig/exim-users/Week-of-Mon-20021216/047532.html

> Is anyone doing anything to check what uknown local part messages
> they receive (and how many)


Yup, if they're the kind that send multiple RCPT TO attempts within a
single SMTP session. After about 4 or 5 dud addresses and no more
than one good one, the ACL dumps the call[1].

> and then de-routeing or firewalling the senders IP addresses?


We tried doing pretty-well that via host_reject_connection

Trouble with that is that, if you accidentally block a bona-fide site,
they then have no way to reach you to complain. It does cut a record
in the exim log, too (but one record rather than the typical
two-to-three-dozen when they're allowed to proceed unchecked).

What I'm currently doing is, if they're already listed for this kind
of abuse, they get one chance to present a valid RCPT TO (in case
they're trying to contact the postmaster) or else they get dumped as
above.

If they were to change their method of attack and only present one
RCPT per call, they'd never trigger the above mechanism, and we'd
be left relying on the open-proxy etc. blacklists to keep them at
arm's length.

good luck


[1] In 4.10 I achieved the call dumping by a half-dozen of these

       condition = ${run{/bin/sleep 59}{1}{0}}


by which time the caller gives up. You can't just run /bin/sleep for
6 minutes, because I found that exim times the run command out after a
minute.

In 4.12 the ACL can drop the call itself - see recent discussion here,
though, for comments on the benefit of also inserting some delay
before responding.