Re: [exim] exim allowed someone to slam my mail server for 3…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Peter Bowyer
Datum:  
To: Exim Mailing List
Betreff: Re: [exim] exim allowed someone to slam my mail server for 3 hours
On 27/06/05, Michael Sprague <mfs@???> wrote:
> abc@??? wrote:
> > What happened here? I thought Exim is supposed to disconnect people if
> > they cause too many errors in their connection? Why did Exim allow the
> > one host to make 38,000 requests in 3 hours within just 1 connection?
> >
> > Here what I see in my logs:
> >
> > 2005-06-26 07:25:32 SMTP connection from [200.101.127.102] (TCP/IP
> > connection count = 1)
> > 2005-06-26 07:25:34 H=(buzz) [200.101.127.102]
> > F=<dwnj_meka_r_z_w@???> rejected RCPT <madeye@???>:
> > host 200.101.127.102 is listed in brazil.blackholes.us
> > 2005-06-26 07:25:40 H=(buzz) [200.101.127.102]
> > F=<dwnj_meka_r_z_w@???> rejected RCPT <madeye@???>:
> > host 200.101.127.102 is listed in brazil.blackholes.us
> > 2005-06-26 07:25:44 H=(buzz) [200.101.127.102]
> > F=<dwnj_meka_r_z_w@???> rejected RCPT <madeye@???>:
> > host 200.101.127.102 is listed in brazil.blackholes.us
> > 2005-06-26 07:25:46 H=(buzz) [200.101.127.102]
> > F=<dwnj_meka_r_z_w@???> rejected RCPT <madeye@???>:
> > host 200.101.127.102 is listed in brazil.blackholes.us
> >
> > That message repeats thousands of times for 3 hours, then:
> > 2005-06-26 10:36:28 SMTP syntax error in "SAIR" H=(buzz)
> > [200.101.127.102] unrecognized command
> > 2005-06-26 10:36:29 unexpected disconnection while reading SMTP command
> > from (buzz) [200.101.127.102]
> >
> > Isn't there a way to disconnect a host if they cause too many errors in
> > the SMTP dialogue?
> >
>
> Sure. You can put something like this in your rcpt ACL:
>
> drop
>   condition      = ${if > {${eval:$rcpt_fail_count}}{3}{true}{false}}
>   message        = Too many failed recipients - count = $rcpt_fail_count

>
> This will drop the connection after 3 bad rcpt to's are done.


We do exactly that, but we also save the IP to feed a local DNSBL and
reject on connect the next time they come along.

Peter


--
Peter Bowyer
Email: peter@???
Tel: +44 1296 768003
VoIP: sip:peter@???