Re: [Exim] unexpected disconnection

Top Page
Delete this message
Reply to this message
Author: Wakko Warner
Date:  
To: Alan J. Flavell
CC: Exim users list
Subject: Re: [Exim] unexpected disconnection
> > Personally, I check RBL on connect and drop them if they're RBLed.
>
> There's two problems I can see with that:
>
> 1. they (nor their users) cannot even address the postmaster to
> discuss the problem. It's not completely unknown for bona fide sites
> (or bona fide users of poorly-managed service providers) to land up in
> blacklists for some reason. In theory, your postmaster address should
> always be reachable. In practice, I'd suggest it ought indeed to kept
> accessible except for the worst cases of proven abuse.


Agreed, IF I was an ISP which I'm not. This server only hosts for myself.
I also do this at work, but again, we're not an ISP. I'll get to this part
further down.

> 2. We know from experience that some proportion of abusers react to
> a connect-time drop as if it was a retryable error, so they just keep
> coming back and hassling with retries; some of them don't even
> back-off, so they'll keep trying every few minutes (sometimes every
> few seconds!) for days on end, if you try to get rid of them that way.


If this happens at home, they get banned at my firewall. At work, these are
generally overseas IPs which I add to a local blacklist. If you get
blacklisted at work, you're exempt from RBL checking, but you'll be refused
at RCPT time (unless you're in my permenant MAIL refusal. This list is
verified spammers or constant annoyances). There is also a list of
permenant IP refusals which happen before RBLs (and are not allowed to
connect). Again, if there's a constant annoyance (at work, the daily logs
go to 800-1000 lines so it would have to be very frequent), they get blocked
at the firewall level.

> Taking both those observations together, my inclination would be to
> prefer one or other of the following strategies, selected according to
> the nature of the abuse:
>
> a) go along with them until RCPT time and then, if they're not
> addressing the postmaster address, give them 5xx for being
> blacklisted. This is the surest way to get rid of them, _and_ it
> still lets bona fide victims get in touch with the postmaster.


I could, but this is not something I'd want to do at home. At work, they'll
be RBLed for a day then they get locally blacklisted and there's an
authentication address they can mail. No, it's not postmaster, I've
received enough spam to postmaster at work. The authentication address is
based upon their connecting IP and their email address to prevent someone
from harvesting that address. Before I did this, I did actually get spam to
my exempt address so some spammers do look at smtp errors.

> b) if the abuse is serious enough that you wanted to refuse any call
> from them, then consider blocking them in the firewall (ipchains,
> iptables, whatever you use). That way, the persistent retry-ers won't
> clutter up the exim log with junk entries. And if you want to waste
> their time, you can do that (i.e by not acknowledging their TCP
> requests and leaving them to time-out) without tying up any instances
> of exim.


As stated above, I already do this.

> YMMV of course. These are just my thoughts.


Of course. At home, I really don't care if I'm fully RFC compliant. The
way I see it, the people that would normally email me can get in. Spammers,
well, what spammer is RFC compliant?

At work, the people who are sending email are just too damn stupid to know
about postmaster. I even *GIVE* them instructions and they can't read.
They almost always fax us if they're blocked.

FYI, at work, all email to postmaster is generated locally or incoming spam.
I've never received a legitimate email from outside the company to
postmaster.

I started looking at blackholes.us and took the txt db for korea and blocked
korea at work. Until I did that, I didn't realize how much spam came from
korea.

--
Lab tests show that use of micro$oft causes cancer in lab animals