On Mon, 2 Jun 2003, Patrick Starrenburg wrote:
> > Nothing remotely clever, in other words ;-)
>
> Can we plead dumbness and ask for your example :-)
Well, if you insist...
The RCPT ACL stanza to invoke the script is
deny hosts = +rbl_hosts
hosts = ! /etc/exim/antijohn
message = *** Dictionary scan! $rcpt_count, $recipients_count
condition = ${if ={$rcpt_count}{5}{1}{0}}
condition = ${if <{$recipients_count}{2}{1}{0}}
condition = ${run{/etc/exim/antijohn.pl $sender_host_address }{1}{0}}
delay = 6m
We chose a count of 5, rather than some lower value, after a rather
embarrassing incident where one of our research funding bodies used a
service provider to mail to an old mailing list, and consequently got
the service provider blacklisted with us. Oops.
The delay is chosen to be long enough that the sender will themselves
drop the call. As I said before, for some of them that seems to be
sufficient, and they don't try that particular request again (though
they may come back with a different scan and/or via a different open
proxy); but others will just keep retrying the same list of bogus
addresses over and over, so they then get caught by this stanza:
deny message = Your mail host has automatically blacklisted itself here\n\
for previous activity which the mailer rated as abuse.\n\
SORRYTEXT
hosts = /etc/exim/antijohn
delay=150s
SORRYTEXT is a macro containing generic advice about contacting the
postmaster in case of difficulty. It gets appended to many of our
"deny" messages. After going through a phase of trying to be rude to
spammers, I realised that spammers probably aren't going to read these
responses anyway, so I switched to wording the reports nicely for the
information of bona fide senders (false positives).
antijohn.pl is basically:
___
/
#!/usr/local/bin/perl -w
use strict;
my $file = '/etc/exim/antijohn';
my $ip = shift;
die "No argument" unless defined $ip;
die "Invalid argument |$ip|" unless $ip =~ /^\d+\.\d+\.\d+\.\d+$/;
# (at this point you _could_ take a look in the file and see
# if the address is already there - can happen occasionally
# e.g when two concurrent dictionary-scan attacks are detected
# from the same IP).
# Since we're doing an append we can ignore file locking...
# (and it's not going to be the end of the world if we sometimes
# manage to list the same address twice...)
open OUT, ">>$file" or die "Couldn't open file, $!";
my $datestamp = scalar gmtime;
print OUT "\n\# $datestamp\n$ip\n";
close OUT;
\___
E&OE, YMMV, and so on...