Re: [Exim] Rumplestiltskin attacks anyway to combat them?

Góra strony
Delete this message
Reply to this message
Autor: Dennis Davis
Data:  
Dla: Lars Schimmer
CC: exim-users
Temat: Re: [Exim] Rumplestiltskin attacks anyway to combat them?
>Date: Wed, 30 Jun 2004 15:05:46 +0200
>From: Lars Schimmer <schimmer@???>
>To: Dennis Davis <D.H.Davis@???>
>CC:  cjackson@???, lists <lists@???>,
>     exim-users@???
>Subject: Re: [Exim] Rumplestiltskin attacks anyway to combat them?


...

>Yeah, tarpitting is nice.
>Do You have any conf example for this? I also plan to tarpit these
>"harvesters".
>I'm using exim4 and sa-exim from debianunstable.
>So tarpitting is available but right now I'm a bit confused how to
>tarpit in these ACLs...


The acl_smtp_rcpt fragment I'm using is appended below.
MAXFAILEDRECIPS is currently set to 4. CHERISHED is a macro which
checks to see if the connecting client ($sender_host_address) is
from the part of our Class B address space I'm prepared to trust.

You may need to introduce extra whitelisting. Typically this may be
from IP addresses sending you mailing lists with badly out of date
recipients. The bona-fide recipients will get a poor service and
you may wish to avoid this.

As I commented earlier, these delays keep the connection open for a
while. So you may wish to drop the connection after you've seen a
certain number of failed recipients.


  # Keep a running total of the number of unverified addresses for
  # local domains we've seen in this SMTP connection.  We can't use
  # $rcpt_fail_count as that counts the failures *for a particular
  # message*.  A RSET command will reset this variable while the
  # SMTP connection is still open.  So we keep a running total
  # in a "global" ACL variable.  We'll only run this count for
  # "non-cherished" hosts.  And, with some misgivings, also ignore
  # authenticated SMTP connections.  We'll just assume our users are
  # illiterate and can't spell.
  warn    domains = +local_domains
          condition = ${if and {{! CHERISHED} \
                                {! def:authenticated_id} \
                               } {yes}{no}}
          ! verify = recipient
          set acl_c0 = ${eval: $acl_c0+1}


  # We'll also rack up the above total of unverified addresses for
  # our relay domains.  It's unlikely this will contribute much.
  # But we should give scumbags as much rope as possible with which
  # they can hang themselves.  See later comments about the use of
  # the "random" option on the verify callout.
  warn    domains = +relay_domains
          condition = ${if and {{! CHERISHED} \
                                {! def:authenticated_id} \
                               } {yes}{no}}
          ! verify = recipient/callout=defer_ok,random
          set acl_c0 = ${eval: $acl_c0+1}


  # Start slowing things down if we start seeing lots of failed
  # recipients.  This may be a spammer using out of date addresses
  # or performing a dictionary attack.  So let's see if we can piss
  # off this connecting client.  We'll use a geometric progression,
  # stored in acl_c1, for the delay: 15 secs, 30 secs, 60 secs, 120
  # secs etc.  Note this may work against us as the connection is
  # kept open for a while.
  defer   message = Too many bad recipients $acl_c0
          log_message = $sender_host_address bad recipients $acl_c0, delay $acl_c1
          condition = ${if > {$acl_c0}{MAXFAILEDRECIPS} {yes}{no}}
          set acl_c1 = ${if def:acl_c1 {${eval: $acl_c1*2}}{15}}
          delay = ${acl_c1}s