Matt Sealey wrote:
>
>
>
>>-----Original Message-----
>>From: exim-users-bounces@???
>>[mailto:exim-users-bounces@exim.org] On Behalf Of Michael Sprague
>>Sent: Monday, June 27, 2005 2:19 PM
>>To: exim-users@???
>>Subject: Re: [exim] exim allowed someone to slam my mail
>>server for 3 hours
>>
>>abc@??? wrote:
>>
>>>What happened here? I thought Exim is supposed to
>>>
>>>2005-06-26 07:25:44 H=(buzz) [200.101.127.102]
>>>F=<dwnj_meka_r_z_w@???> rejected RCPT
>>
>><madeye@???>:
>>
>>>host 200.101.127.102 is listed in brazil.blackholes.us
>>>2005-06-26 07:25:46 H=(buzz) [200.101.127.102]
>>>F=<dwnj_meka_r_z_w@???> rejected RCPT
>>
>><madeye@???>:
>>
>>>host 200.101.127.102 is listed in brazil.blackholes.us
>>>
>>
>>Sure. You can put something like this in your rcpt ACL:
>>
>>drop
>> condition = ${if > {${eval:$rcpt_fail_count}}{3}{true}{false}}
>> message = Too many failed recipients - count =
>>$rcpt_fail_count
>>
>>This will drop the connection after 3 bad rcpt to's are done.
>
>
> Right but they can just disconnect and reconnect to work around
> that.
>
> I don't see any evidence that these thousands of failures were
> one single unbroken connection. How would you fix up Exim to
> handle someone doing real reconnects, a new session each time?
It looks like that feature may be available v4.52. For now, you could
always setup firewall rules to block this guy and others like them.
M
--
Michael F. Sprague | mfs@???
Partner | System and Network Engineering (SaNE), Inc
use STD::disclaimer;
