Re: [exim] exim allowed someone to slam my mail server for 3…

Top Page
Delete this message
Reply to this message
Author: Michael Sprague
Date:  
To: exim-users
Subject: Re: [exim] exim allowed someone to slam my mail server for 3 hours
abc@??? wrote:
> What happened here? I thought Exim is supposed to disconnect people if
> they cause too many errors in their connection? Why did Exim allow the
> one host to make 38,000 requests in 3 hours within just 1 connection?
>
> Here what I see in my logs:
>
> 2005-06-26 07:25:32 SMTP connection from [200.101.127.102] (TCP/IP
> connection count = 1)
> 2005-06-26 07:25:34 H=(buzz) [200.101.127.102]
> F=<dwnj_meka_r_z_w@???> rejected RCPT <madeye@???>:
> host 200.101.127.102 is listed in brazil.blackholes.us
> 2005-06-26 07:25:40 H=(buzz) [200.101.127.102]
> F=<dwnj_meka_r_z_w@???> rejected RCPT <madeye@???>:
> host 200.101.127.102 is listed in brazil.blackholes.us
> 2005-06-26 07:25:44 H=(buzz) [200.101.127.102]
> F=<dwnj_meka_r_z_w@???> rejected RCPT <madeye@???>:
> host 200.101.127.102 is listed in brazil.blackholes.us
> 2005-06-26 07:25:46 H=(buzz) [200.101.127.102]
> F=<dwnj_meka_r_z_w@???> rejected RCPT <madeye@???>:
> host 200.101.127.102 is listed in brazil.blackholes.us
>
> That message repeats thousands of times for 3 hours, then:
> 2005-06-26 10:36:28 SMTP syntax error in "SAIR" H=(buzz)
> [200.101.127.102] unrecognized command
> 2005-06-26 10:36:29 unexpected disconnection while reading SMTP command
> from (buzz) [200.101.127.102]
>
> Isn't there a way to disconnect a host if they cause too many errors in
> the SMTP dialogue?
>


Sure. You can put something like this in your rcpt ACL:

drop
   condition      = ${if > {${eval:$rcpt_fail_count}}{3}{true}{false}}
   message        = Too many failed recipients - count = $rcpt_fail_count


This will drop the connection after 3 bad rcpt to's are done.

M



--
Michael Sprague | mfs@???
System and Network Engineering (SaNE), Inc
use STD::disclaimer;