Re: [Exim] Dictionary Scans - HOWTO

Pàgina inicial
Delete this message
Reply to this message
Autor: Tony Earnshaw
Data:  
A: exim-users
Assumpte: Re: [Exim] Dictionary Scans - HOWTO
På on , 30/04/2003 klokka 12:20, skreiv ODHIAMBO G. Washington:

> After a few days leave, everything has evaporated, so I seriously need
> some help. I have looked at the archives examples and used the following
> acl to try and keep away dictionary scans but it doesn't seem to work:
>
> drop   message     =  *** Dict scan!. Too many bad recipients, $rcpt_fail_count out of $rcpt_count
>            condition   = ${if > {${eval:$rcpt_fail_count}}{2}{yes}{no}}
>            delay       = ${eval: ($rcpt_fail_count + 1) * 1}m
>            log_message = Dictionary attack


> I've placed this right after the callout acl.


This works for me with 4.14. It right at the top of acl_check_rcpt,
right after a dodgy helo/ehlo ACL and long before deny !verify
= sender or callout:

deny  message      = Max 2 failed recipients allowed
      condition    = ${if >{$rcpt_fail_count}{1} {1}}
      delay        = ${eval: ($rcpt_fail_count) * 30}s
      log_message  = $rcpt_fail_count failed recipient attempts


I agree with Giuliano, don't drop - they'll probably only begin again.
The idea is to suck blood indefinitely.

I've been trying to think myself into situations where a machine program
would legitimately start trying to send messages to more than two
fictive recipients in a single smtp connection (mailing lists, wrong
details filled into a form, mistakes by a sender etc.), but I haven't
been able to come up with a single one. Maybe somebody could show that
there could be a legitimate reason.

Best,

Tony

--
Tony Earnshaw

Do not come to visit me with both arms the same length.

e-post:        tonni@???
www:        http://www.billy.demon.nl


Tony Earnshaw