Re: [exim] exim allowed someone to slam my mail server for 3…

Top Page
Delete this message
Reply to this message
Author: Peter Bowyer
Date:  
To: Exim Mailing List
New-Topics: Re: [exim] cross connection message tracking - Was: exim allowed someone to slam my mail server for 3 hours
Subject: Re: [exim] exim allowed someone to slam my mail server for 3 hours
On 27/06/05, Marilyn Davis <marilyn@???> wrote:
> On Mon, 27 Jun 2005, Mark Smith wrote:
>
> >
> > > I just added this and I tested it from a yahoo account by
> > > sending to 4 addresses on my domain, 3 of which are bogus.
> > >
> > > Yahoo makes 4 connections:
> > >
> > > 10800 Listening...
> > > 10800 Connection request from 68.142.206.160 port 43138 10800
> > > 1 SMTP accept process running 10800 Listening...
> > > 10800 Connection request from 68.142.206.160 port 43139 10800
> > > 2 SMTP accept processes running 10800 Listening...
> > > 10800 Connection request from 68.142.206.160 port 43140 10800
> > > 3 SMTP accept processes running 10800 Listening...
> > > 10800 Connection request from 68.142.206.160 port 43141 10800
> > > 4 SMTP accept processes running 10800 Listening...
> > >
> > > So, that's disappointing. The spammer has to cooperate?
> > >
> > > Marilyn Davis
> > >
> > The only way to deal with that is to set smtp_accept_max_per_host = 1.
>
> Thank you. But it doesn't seem to fix anything, it just takes longer
> because the other connections are delayed. But the result is the
> same. $rcpt_count never gets above 1.
>
> Now, why would yahoo only send one RCPT per connection when 4
> addresses to the same domain are on the same message? What is the
> benefit of doing that -- aside from facilitating spam from their
> addresses?


I'm not sure how it 'facilitates spam' - it's very common, in fact.
Any site running qmail will do this by default, it deals with a
message per recipient and opens a new SMTP connection for each - which
can DoS a receiving server if it's not kept under control.

My next enhancement is to count invalid recipients across connections
from a single IP, and DNSBL the connecting IP once it reaches a
threshold.

Peter
--
Peter Bowyer
Email: peter@???
Tel: +44 1296 768003
VoIP: sip:peter@???