Re: [Exim] People thinking port 25 is a web server

Top Page
Delete this message
Reply to this message
Author: William Thompson
Date:  
To: Suresh Ramasubramanian
CC: exim-users
Subject: Re: [Exim] People thinking port 25 is a web server
> >Is there an easy way to immediately drop people from doing this:
> >2003-03-08 07:33:53 SMTP syntax error in "POST / HTTP/1.0"
> >H=[199.243.131.42]: unrecognized command
> >2003-03-08 07:33:53 SMTP syntax error in "Via: 1.0 TANGO"
> >H=[199.243.131.42]: unrecognized command
> >2003-03-08 07:33:53 SMTP syntax error in "Host: 216.98.66.34:25"
> >H=[199.243.131.42]: unrecognized command
>
> You are seeing spam from open proxies.


As I figured.

> Easier way to do it - reactive, shall we say - Find lines like this from
> your logs and -
>
> 1. Drop them into your local blocklist


I generally do.

> 2. Submit them to an open proxy blocklist like socks.relays.osirusoft.com
> etc.
>
> 3. Use one or more of these.


I thought personally it'd be an interesting idea to give them a 5xx code and
drop connection when they use POST. Save on log space and I could also have
a program to scan the logs for this and drop them into a blacklist. I've
seen 3.35's smtp code, doesn't look too difficult to add this capability.
I've not seen 4.x yet.

I've never seen this on my home system, but many times at work.