Re: [exim] exim allowed someone to slam my mail server for 3…

Top Page
Delete this message
Reply to this message
Author: Marilyn Davis
Date:  
To: peter
CC: Exim Mailing List
Subject: Re: [exim] exim allowed someone to slam my mail server for 3 hours
On Mon, 27 Jun 2005, Peter Bowyer wrote:

> On 27/06/05, Michael Sprague <mfs@???> wrote:
> > abc@??? wrote:
> > > What happened here? I thought Exim is supposed to disconnect people if
> > > they cause too many errors in their connection? Why did Exim allow the
> > > one host to make 38,000 requests in 3 hours within just 1 connection?
> > >
> > > Here what I see in my logs:
> > >
> > > 2005-06-26 07:25:32 SMTP connection from [200.101.127.102] (TCP/IP
> > > connection count = 1)
> > > 2005-06-26 07:25:34 H=(buzz) [200.101.127.102]
> > > F=<dwnj_meka_r_z_w@???> rejected RCPT <madeye@???>:
> > > host 200.101.127.102 is listed in brazil.blackholes.us
> > > 2005-06-26 07:25:40 H=(buzz) [200.101.127.102]
> > > F=<dwnj_meka_r_z_w@???> rejected RCPT <madeye@???>:
> > > host 200.101.127.102 is listed in brazil.blackholes.us
> > > 2005-06-26 07:25:44 H=(buzz) [200.101.127.102]
> > > F=<dwnj_meka_r_z_w@???> rejected RCPT <madeye@???>:
> > > host 200.101.127.102 is listed in brazil.blackholes.us
> > > 2005-06-26 07:25:46 H=(buzz) [200.101.127.102]
> > > F=<dwnj_meka_r_z_w@???> rejected RCPT <madeye@???>:
> > > host 200.101.127.102 is listed in brazil.blackholes.us
> > >
> > > That message repeats thousands of times for 3 hours, then:
> > > 2005-06-26 10:36:28 SMTP syntax error in "SAIR" H=(buzz)
> > > [200.101.127.102] unrecognized command
> > > 2005-06-26 10:36:29 unexpected disconnection while reading SMTP command
> > > from (buzz) [200.101.127.102]
> > >
> > > Isn't there a way to disconnect a host if they cause too many errors in
> > > the SMTP dialogue?
> > >
> >
> > Sure. You can put something like this in your rcpt ACL:
> >
> > drop
> >   condition      = ${if > {${eval:$rcpt_fail_count}}{3}{true}{false}}
> >   message        = Too many failed recipients - count = $rcpt_fail_count

> >
> > This will drop the connection after 3 bad rcpt to's are done.


I just added this and I tested it from a yahoo account by sending to 4
addresses on my domain, 3 of which are bogus.

Yahoo makes 4 connections:

10800 Listening...
10800 Connection request from 68.142.206.160 port 43138
10800 1 SMTP accept process running
10800 Listening...
10800 Connection request from 68.142.206.160 port 43139
10800 2 SMTP accept processes running
10800 Listening...
10800 Connection request from 68.142.206.160 port 43140
10800 3 SMTP accept processes running
10800 Listening...
10800 Connection request from 68.142.206.160 port 43141
10800 4 SMTP accept processes running
10800 Listening...

So, that's disappointing. The spammer has to cooperate?

Marilyn Davis

>
> We do exactly that, but we also save the IP to feed a local DNSBL and
> reject on connect the next time they come along.
>
> Peter
>
>
>


--