On Tue, 11 Mar 2003, Jim Pazarena wrote:
> I constantly see harvesting attempts with the following two log entries:
> H=(mail.nowhere.com) F=<joe@???>
>
> Would the appropriate RBL entry look like:
>
> deny senders = joe@???
If they're the kind of harvesters we've seen here, that's rather
pointless, since no matter what kind of 5xx you sent them, they're
just going to carry on trying.
So the only benfit might be that you don't hand them an address-
verification utility. I don't actually know whether spammers pay any
attention to the 5xx answers that they get, but telling them their
call is blocked is surely less informative (which is good) than
telling them that the email address they presented does not exist
(which might theoretically be helpful to them and therefore bad).
Either way it's going to cut an entry in the log.
Anyway, it's operationally not usually a good idea to stick exact
email addresses into the configure file, because changes in the
configure file call for a server restart. Better, at the least, to
point to a 'plain file' and put the address(es) in there, then there's
no need to restart exim when a new address has to be added, as it
inevitably will IME.
Getting back to the specific point: if your harvester is trying
multiple rcpt-to in the same smtp call, then the only productive
recourse is to drop the call at the point where you (or rather, your
ACL) decides that it's a dictionary attack; if they're only trying one
per call, then there isn't much you can do beyond denying the smtp
connection in the first place (but understand that this carries risks
of blocking bona fide senders, who then have no obvious way to contact
the postmaster!). (Been there, done that, and the victim was one of
our funding agencies, wibble)
h.t.h
