Hi folks.
I asked this over on debian-user and got some response but
nothing specific. So I joined this list and perused its
archives. Interesting stuff but nothing close. Here
goes...
I've been using Exim since I started doing e-mail on my
Debian box many years ago. But I never was able to really
get into its configs- the docs are kind of hard to grok for
me. And the exim4 configs really make my brain hurt... I
can't tell where the settings are without doing a 'grep ptn
/etc/default/exim* /etc/exim4.config $(find /etc/exim4/.
-type f)' and event then I have trouble. Thank goodness
the dpkg reconfigure does a good job.
Anyhow, I've had a domain for a decade where my hosting svc
used to forward *all* e-mail to me, and spammers made up
usernames and passed them around. Ultimately the load
became too heavy for his servers and he wasn't inclined to
fix the config, so I pointed the MX to my DSL line and took
it inhouse- Exim handles it very well.
Symptom: tons of "Unroutable address" logs like this in
my /var/log/exim4/mainlog...
2005-11-22 12:34:53 H=adsl-63-195-120-242.dsl.snfc21.pacbell.net (thesitefights.com) [63.195.120.242] F=<connie.cisneros_qx@???> rejected RCPT <middleton@???>: Unrouteable address
iptables rule:
#reject for 40 seconds each time we get a smtp_penalty_box hit
iptables -A INPUT \
-m recent --name smtp_penalty_box --rcheck --seconds 40 \
-j DROP
commandline to detect offending IP addr (a bit delayed, sadly)
and put IP address on list for iptables rule to reject.
tail -f /var/log/exim4/mainlog\
|perl -e '
use strict;
use POSIX qw(strftime);
while (<>)
{
if(m{\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\].*Unrouteable address})
{
open(OUTPUT, ">/proc/net/ipt_recent/smtp_penalty_box");
print OUTPUT "$1\n";
close(OUTPUT);
my $disptime=strftime("%m-%d %H:%M:%S",localtime time);
print "$disptime: penalty $1\n";
}
}'
I also have been noticing that some IP addresses come in
with multiple connections with randomized HELO identities.
These are clearly spammers, if not denial of service
attackers, so I want to blacklist them longer, if not
permanently.
Symptom: eximon says...
703 handling incoming connection from (dbzgtlegacy.com) [219.129.109.10]
704 handling incoming connection from (guide55.every1.net) [219.129.109.10]
705 handling incoming connection from (free2.every1.net) [219.129.109.10]
706 handling incoming connection from (minitruckmail.com) [219.129.109.10]
707 handling incoming connection from (vegemail.com) [219.129.109.10]
708 handling incoming connection from (africansisters.com) [219.129.109.10]
709 handling incoming connection from (faza.ru) [219.129.109.10]
iptables rule:
# block any IP on this list till it's quiet for five minutes
iptables -A INPUT \
-m recent --name smtp_multiple_idents --update --seconds 600 \
-j DROP
put IP address on list that iptables sees...
# detect IPs that are claiming to be multiple domains and
# put them in the smtp_multiple_idents list
while /bin/true
do
exiwhat \
|tee ~/exiwhat.out && \
for ip in $( \
cat ~/exiwhat.out\
| tee ~/exiwhat.out\
| perl -e '
use strict;
while(<>)
{
if(m{\(([^()]+)\) \[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]})
{
print "$2 $1\n"
}
}' \
| sort | uniq | cut -d' ' -f1 | uniq -c \
| perl -ne 'if(m{^[ \t]+([0-9]+)[ \t]+([^ \t].*)}&&$1>1){print "$2\n"}'
)
do
echo $ip > /proc/net/ipt_recent/smtp_multiple_idents
echo "multiple identities- $ip"
done
date
sleep 15
done
My real question is: how can I trigger the commandline
checks above from within exim?
Best regards,
Tony
