Hi,
with the current mass-spamming of Sober.AG I noticed in the logs that we
get tons of mails with wrong recipients which get denied. But actually I
added a rule for dropping connections with too many false recipients
a long time ago and now I noticed that it does not seem to work correctly.
I can't find the reason for it not working though.
When using exim -bhc for testing, the connection gets dropped
at the fifths wrong recipient - while exim claims it's the fourth...
*cough* ;)
This is done by doing a repeated "rcpt to: abc@???" at the
prompt. Does the virus use another way of addressing multiple
accounts and does exim not recognize that? And does exim "forget"
to take the first wrong recipient into account?
Our exim servers are running as in- and outgoing relay for our outer
notes cluster, which then routes the mails further inside, hence I'm
doing a full callout on incoming mail, so non-existent addresses get
blocked at the relays. Even though all messages get blocked due
to non-existant addresses, they still produces countless lines of
logoutput which I would like to get rid of with dropping the connection
after 3 wrong recipients.
relay_to_domains contains all domains we are hosting and get
relayed inside via a notes cluster.
These are the check_rcpt acls:
accept hosts = :
deny message = This email address is an automated process and
not read. Please use abuse\\at\\abit.de if you need to contact the
technical staff about a problem.
domains = +relay_to_domains
local_parts = valert
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
domains = +local_domains : +relay_to_domains
# Deny unless the sender address can be verified.
require verify = sender
accept domains = +local_domains
endpass
verify = recipient
drop message = REJECTED - Too many failed recipients - count =
$rcpt_fail_count
domains = +relay_to_domains
log_message = REJECTED - Too many failed recipients - count =
$rcpt_fail_count
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
!verify = recipient/callout=2m,defer_ok,use_sender
deny message = REJECTED - Recipient Verify Failed - User Not Found
domains = +relay_to_domains
!verify = recipient/callout=2m,defer_ok,use_sender
accept domains = +relay_to_domains
endpass
accept hosts = +relay_from_hosts
accept authenticated = *
deny message = relay not permitted
Any help would be appreciated.
regards
sash
--------------------------------------------------
Sascha Runschke
Netzwerk Administration
IT-Services
ABIT AG
Robert-Bosch-Str. 1
40668 Meerbusch
Tel.:+49 (0) 2150.9153.226
Mobil:+49 (0) 173.5419665
mailto:SRunschke@abit.de
http://www.abit.net
http://www.abit-epos.net
---------------------------------
Sicherheitshinweis zur E-Mail Kommunikation /
Security note regarding email communication:
http://www.abit.net/sicherheitshinweis.html
