Re: [Exim] Re: Re: smtp_accept_max_rcpt_failures?!

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMWakko Warner at <-
MPatrick Starrenburg at ->
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Exim users list
Subject: Re: [Exim] Re: Re: smtp_accept_max_rcpt_failures?!
On Mon, 2 Jun 2003, Patrick Starrenburg wrote:

> > Nothing remotely clever, in other words ;-)
>
> Can we plead dumbness and ask for your example :-)

Well, if you insist...

The RCPT ACL stanza to invoke the script is 

  deny hosts = +rbl_hosts
       hosts = ! /etc/exim/antijohn
       message = *** Dictionary scan! $rcpt_count, $recipients_count
       condition = ${if ={$rcpt_count}{5}{1}{0}}
       condition = ${if <{$recipients_count}{2}{1}{0}}
       condition = ${run{/etc/exim/antijohn.pl $sender_host_address }{1}{0}}
       delay = 6m


We chose a count of 5, rather than some lower value, after a rather
embarrassing incident where one of our research funding bodies used a
service provider to mail to an old mailing list, and consequently got
the service provider blacklisted with us. Oops.

The delay is chosen to be long enough that the sender will themselves
drop the call. As I said before, for some of them that seems to be
sufficient, and they don't try that particular request again (though
they may come back with a different scan and/or via a different open
proxy); but others will just keep retrying the same list of bogus
addresses over and over, so they then get caught by this stanza: 

  deny message = Your mail host has automatically blacklisted itself here\n\
         for previous activity which the mailer rated as abuse.\n\
         SORRYTEXT
       hosts = /etc/exim/antijohn
       delay=150s


SORRYTEXT is a macro containing generic advice about contacting the
postmaster in case of difficulty. It gets appended to many of our
"deny" messages. After going through a phase of trying to be rude to
spammers, I realised that spammers probably aren't going to read these
responses anyway, so I switched to wording the reports nicely for the
information of bona fide senders (false positives).

antijohn.pl is basically:
___
/

#!/usr/local/bin/perl -w

use strict;

my $file = '/etc/exim/antijohn';

my $ip = shift;

die "No argument" unless defined $ip;

die "Invalid argument |$ip|" unless $ip =~ /^\d+\.\d+\.\d+\.\d+$/;

# (at this point you _could_ take a look in the file and see
# if the address is already there - can happen occasionally
# e.g when two concurrent dictionary-scan attacks are detected
# from the same IP).

# Since we're doing an append we can ignore file locking...
# (and it's not going to be the end of the world if we sometimes
# manage to list the same address twice...)

open OUT, ">>$file" or die "Couldn't open file, $!";

my $datestamp = scalar gmtime;

print OUT "\n\# $datestamp\n$ip\n";

close OUT;

\___



E&OE, YMMV, and so on...


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] FAQ Tips and TechniquesRe: [Exim] \dev\null->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)