RE: [exim] exim allowed someone to slam my mail server for 3…

Top Page
Delete this message
Reply to this message
Author: abc
Date:  
To: exim-users
Subject: RE: [exim] exim allowed someone to slam my mail server for 3 hours
On Mon, 27 Jun 2005, Matt Sealey wrote:
> I don't see any evidence that these thousands of failures were
> one single unbroken connection.


It was just one connection. I see the following line in my logs only
once:

2005-06-26 07:25:32 SMTP connection from [200.101.127.102] (TCP/IP connection count = 1)

There is no other "connection from" line from that IP.

> How would you fix up Exim to handle someone doing real reconnects, a new
> session each time?


Good question... But I don't think Exim can remember information between
connections, can it?

I do have measures in place using the Linux kernel, where I block someone
if they send lots of SYN packets. This helps prevent against someone
opening too many connections, someone slamming the system, and confuses
the portscanners. This user was not blocked, because they slammed the
server in just one connection.