Re: [Exim] FW: Defending Against Rumplestiltskin Attacks???

Top Page
Delete this message
Reply to this message
Author: Tor Slettnes
Date:  
To: Ilan Aisic
CC: exim-users
Subject: Re: [Exim] FW: Defending Against Rumplestiltskin Attacks???
On Sun, 2004-05-09 at 08:11, Ilan Aisic wrote:
> I was wondering if there's a way to configure Exim so that spammers or
> computers trying to flood us with DDoS attacks, can be treated to a
> special slow connection (See below postfix setup).


Yeah, sure. You can insert e.g. "delay = 20s" at various ACLs; even if
you do this for the occasional legitimate mail, no big harm is done.

I have these delay modifiers sprinkled throughout my Exim ACLs. If I
detect any suspect data at any stage, the sender is stalled for 20
seconds at each command issued from then on until the end of the SMTP
transaction. So, for instance, if the client sends "HELO x.y.z.w",
where "x.y.z.w" is an IP address, or if it is a name that translates
into my own IP address, I will stall them for 20s at the HELO command,
20s at the MAIL FROM: command, 20s at RCPT TO:, and 20s after DATA,
before finally rejecting the mail.

Some of the checks I do (all of these will trigger delays, but not all
will cause a rejection by themselves):
- Connection from a host listed in one of many DNSbls (SBL, Sorbs...)
- Connection from an IP with no reverse DNS
- HELO or EHLO with IP address given as argument
- HELO or EHLO with a name that translates into my own IP address
- No HELO or EHLO
- "verify=helo" failure (i.e. bogus name given in HELO/EHLO greeting)
- MAIL FROM: an unverifiable sender address (w/callout verification)
- RCPT TO: system users (postmaster, mailer-daemon, root, mail...)
- Missing Message-ID: or Date: header
- Syntactically invalid To:, Cc:, or From: headers
- MIME errors (as detected by Exiscan-ACL)
- Windows executable attachments (.exe, .dll, .pif, .scr...)
- A spam indication from SpamAssassin (via Exiscan-ACL)


Also, if you are interested in "tarpitting" spammers for extended
periods of time, you may be interested in "sa-exim"; see:
    http://marc.merlins.org/linux/exim/sa.html


Newer versions of SA-Exim also has support for "greylisting", per:
    http://projects.puremagic.com/greylisting/


-tor