Re: [Exim] Very anoying virus behavior

Top Page
Delete this message
Reply to this message
Author: Rossz Vamos-Wentworth
Date:  
To: Exim-users
Subject: Re: [Exim] Very anoying virus behavior
Walt Reed wrote:
> One of the things I've noticed about this latest email worm is that it
> seems to be doing a namelist attack. Looking at my logs, I'm getting
> hundreds of hits to nonexistant names. Occasionally it finds a valid
> one, which is rejected by exiscan rule.
>
> Anyway, rather than waste my mail servers time and bandwidth, I was
> thinking along the lines of processing the logs looking for the pattern,
> and adding a firewall rule to drop the host. Has anyone done that

already or
> working on something like this? Greylisting doesn't seem like it

would work as
> this worm does multiple tries.


I've been getting those hits, too. I've manually blocked a few.
Automating the process shouldn't be that hard. Just a small program
that checked how many invalid addresses have been attempted by an ip
address and invoking iptables when a certain threshhold is reached.
Perhaps a cron job that removed the blocks after a set time (a few days,
perhaps). I did something similar to this for codered and nimda hits,
except there was no "grace" period. The first hit got you blocked.

> Maybe a "infected by worm" DNSBL would work.


xbl.spamhaus.org (or sbl-xbl.spamhaus.org).

--
Rossz