Re: [exim] slowing spammers with iptables -m recent

Top Page
Delete this message
Reply to this message
Author: Haakon Eriksen
Date:  
To: Exim users list
New-Topics: SOLVED Re: [exim] slowing spammers with iptables -m recent
Subject: Re: [exim] slowing spammers with iptables -m recent
Tony Godshall <togo@???> writes:

> Hi folks.
>
> Symptom: tons of "Unroutable address" logs like this in
> my /var/log/exim4/mainlog...
>
> 2005-11-22 12:34:53 H=adsl-63-195-120-242.dsl.snfc21.pacbell.net
> (thesitefights.com) [63.195.120.242]
> F=<connie.cisneros_qx@???> rejected RCPT
> <middleton@???>: Unrouteable address
>
>   #reject for 40 seconds each time we get a smtp_penalty_box hit
>   iptables -A INPUT \
>     -m recent --name smtp_penalty_box --rcheck --seconds 40 \
>     -j DROP



We do something not entirely unlike this with an ACL.

defer condition = ${if and {{! def:acl_c2} \ 
                            {> {$rcpt_count} {5}} \
                            {< {$recipients_count} {${eval:$rcpt_count/2}}\
                              } \
                           } {yes} {no}\
                    }
          log_message   = Excessive invalid addresses
          delay         = 45s


The variable acl_c2 is set when the user is authenticated.

If you're starved for resources you might not want to do this since
you might be holding on to a lot of connection from spammers. We
haven't found this to be much of a problem, however, since I suspect
that a lot of spammers break the connection when they're not allowed
to send mail at the rate they want.

I think this is a neat trick, but I can't take credit for it. Kjetil
Homme is the one that came up with it.

-- 
 Haakon Eriksen          [ h.g.eriksen@??? ]
 Center for Information Technology Services,
 University of Oslo