Re: [exim] exim allowed someone to slam my mail server for 3…

Top Page
Delete this message
Reply to this message
Author: Michael F. Sprague
Date:  
To: exim-users
Subject: Re: [exim] exim allowed someone to slam my mail server for 3 hours
Matt Sealey wrote:
>
>
>
>>-----Original Message-----
>>From: exim-users-bounces@???
>>[mailto:exim-users-bounces@exim.org] On Behalf Of Michael Sprague
>>Sent: Monday, June 27, 2005 2:19 PM
>>To: exim-users@???
>>Subject: Re: [exim] exim allowed someone to slam my mail
>>server for 3 hours
>>
>>abc@??? wrote:
>>
>>>What happened here? I thought Exim is supposed to
>>>
>>>2005-06-26 07:25:44 H=(buzz) [200.101.127.102]
>>>F=<dwnj_meka_r_z_w@???> rejected RCPT
>>
>><madeye@???>:
>>
>>>host 200.101.127.102 is listed in brazil.blackholes.us
>>>2005-06-26 07:25:46 H=(buzz) [200.101.127.102]
>>>F=<dwnj_meka_r_z_w@???> rejected RCPT
>>
>><madeye@???>:
>>
>>>host 200.101.127.102 is listed in brazil.blackholes.us
>>>
>>
>>Sure. You can put something like this in your rcpt ACL:
>>
>>drop
>>   condition      = ${if > {${eval:$rcpt_fail_count}}{3}{true}{false}}
>>   message        = Too many failed recipients - count = 
>>$rcpt_fail_count

>>
>>This will drop the connection after 3 bad rcpt to's are done.
>
>
> Right but they can just disconnect and reconnect to work around
> that.
>
> I don't see any evidence that these thousands of failures were
> one single unbroken connection. How would you fix up Exim to
> handle someone doing real reconnects, a new session each time?


It looks like that feature may be available v4.52. For now, you could
always setup firewall rules to block this guy and others like them.

M




-- 
Michael F. Sprague   |  mfs@???
Partner              |  System and Network Engineering (SaNE), Inc
use STD::disclaimer;