> Zombie hosts are avoiding our per-host connection limits and
> dictionary attack checks by simply disconnecting as soon as
> they get a DENY, then immediately reconnecting and trying to
> send the same message again. They do this around ten times in
> a row before giving up.
>
> Anyone have any ideas how to combat this?
I am taking some naive steps to stop this,
partially manual so it isn't perfect but this
is to avoid false positives locking out legitimate
email.
With a trivial perl script I parse the reject log
for rejects, count and sort on number of rejects per
host, do an nslookup on those above a threshold
(currently 3 but I have a small system.)
[If you reverse all of the addresses when checking
a large log then it takes too long to get answers.]
Then I am adding all such (manually approved) addresses
to the filter/block address file using this code but the
bad news is this doesn't seem to be working (i.e., it
isn't giving me "Ip ADDRESS Blacklisted" hits in the
reject log.
deny message = IP $host_data Blacklisted
!authenticated = *
hosts = net-lsearch;/etc/exim.acl
Once, I get this fully working then automating the
addition to the block list file is my intention -
perhaps with cross-checking against public DNSBL
or dynamic IP address appearance. (I do not block
STRICTLY on either address patterns OR strictly on any
DNSBLs but rather use them as part of my SpamAssassin
scores to mark spam.)
I would also love to see ideas that others use to
accomplish this task.
--
Herb Martin
