Autor: Wakko Warner Datum: To: exim-users Betreff: [exim] Spammers and delays?
I've been toying with the idea of slowing down spammers. I tried this in my
exim.conf:
DELAY1=60s
DELAYCONN=10s
acl_smtp_auth = accept delay=DELAY1
acl_smtp_connect = accept delay=DELAYCONN
acl_smtp_data = accept delay=DELAY1
acl_smtp_helo = accept delay=DELAY1
acl_smtp_mail = accept delay=DELAY1
acl_smtp_mailauth = accept delay=DELAY1
acl_smtp_predata = accept delay=DELAY1
acl_smtp_quit = accept delay=DELAY1
acl_smtp_starttls = accept delay=DELAY1
acl_smtp_rcpt = accept delay=DELAY1
acl_smtp_etrn = accept delay=DELAY1
acl_smtp_expn = accept delay=DELAY1
acl_smtp_vrfy = accept delay=DELAY1
Before someone screems "OPEN RELAY" it's not. There's only 1 router and the
transport for that delivers to a file, it does not have the ability to send
email via the network in any form.
I've noticed that they don't seem to want to try to send mail through it.
A few entries in my log:
2005-09-29 20:56:23 SMTP connection from [141.156.179.19]:1332
I=[]:25 (TCP/IP connection count = 1)
2005-09-29 20:57:37 SMTP connection from
pool-141-156-179-19.esr.east.verizon.net [141.156.179.19]:1332
I=[]:25 lost
2005-09-29 21:32:48 SMTP connection from [219.133.174.149]:4686
I=[]:25 (TCP/IP connection count = 1)
2005-09-29 21:32:49 no host name found for IP address 219.133.174.149
2005-09-29 21:34:01 SMTP connection from (216.98.75.12)
[219.133.174.149]:4686 I=[]:25 lost
I have plenty others in the log (hundreds actually). The IP of the server
was removed to not expose the system. It has many IPs assigned to it and
none of them are the server I'm using for this message nor my backup server.
I didn't want the IPs listed as they would be searchable by goodle and other
engines and it could be ignored by the abusers (it's a honey pot actually)
Ok, with that out of the way, I had DELAY1 set to 49s and noticed that the
spammers would complete the message (Seems they are doing relay tests,
subject line is always BC_aaa.bbb.ccc.ddd where aaa.bbb.ccc.ddd is the local
IP)
What's the thoughts about doing this on a production system:
(Of course this will break call outs, can be adjusted to handle that
specifically)
On connect: delay 5-10 sec (not if you expect call outs)
HELO: delay 30 sec (same)
MAIL: delay 60 sec if the envelope sender is not NULL
RCPT: delay 60 sec if sender not NULL
DATA: delay 60 sec (pre and post) and if the sender IP has not hung up at
this point and did completely send the message, log the IP somewhere and
never delay this IP again (since it's now known to handle delays)
Just by looking at the logs on the abused machine, this seems like it would
work well. On the other hand, I had AOL blocked due to issues with my rDNS
(I know, but if I can't report abuse, I don't accept any form of connections
from the other end) and had I think 90s or higher delays and they would
continue to hammer the server until blocked at the IP level. I'd like to
know what the thoughts of others are on this. I'm only concerned about
MTA(or random spammer)->MTA transactions not MUA->MTA transactions.
If anyone would like to verify this machine is not an open relay, you may
contact me off list and I'll give you the IPs of the system. It's there to
take abuse but not to relay abuse.
--
Lab tests show that use of micro$oft causes cancer in lab animals
Got Gas???