Re: [Exim] FW: Pounded after drop in helo acl

On Wed, 30 Jul 2003, Thomas Tonino wrote:

> Kevin Reed wrote:

> > Apparently, they are just reconnecting?

Been there, seen that...

> I think it is better to reject/drop at the RCPT stage -

Definitely!

> check the HELO in the RCPT ACL.

Yup: trying to reject a bad HELO with 5xx at the actual HELO stage
will sometimes cause problems; and dropping the call at that stage
rates to be even worse.

> Also, use a 'delay =' modifier. In combination with a limited number of
> connections per IP this will limit the 'hammering'.

True; nevertheless, it won't stop it, so it's better to look for a
more-effective way of getting rid of them.

> BTW, does anyone have thoughts about using a delay when accepting mail
> from suspicious sources that you might not want to block fully?

There's plenty of other options; seems to me a whole range of them
have got an airing in previous postings to the list (hint!). For
example you might try defer (4xx) after a delay, together with some
kind of database to maintain state, when mail is offered from a
suspicious source. Some spammers won't bother to retry, which is
good; there's a chance that other spammers will show up in RBLs before
you finally accept the mail, so then you can reject it outright. If
it's still retrying after an hour or two then you can accept it.
(Caveat: we don't actually do this, so YMMV. Also, consider the
interaction with your backup MXes, if any.)