Re: [exim] Emergency help! How can I stop this attack?

Top Page
Delete this message
Reply to this message
Author: Fred Viles
Date:  
To: exim-users
Subject: Re: [exim] Emergency help! How can I stop this attack?
On 20 Jan 2006 at 13:25, Gururajan Ramachandran wrote about
    "[exim] Emergency help! How can I st":


| 2006-01-20 16:18:33 no IP address found for host
| some.host.biz (during SMTP connection from
| (com529.venusdrive.com) [66.63.184.34])


What does "dig -x 66.63.184.34" show you, when run on the same
machine as your exim server?

It should show that there is no PTR record. If it shows that there
is a PTR record with "some.host.biz" (what is the point of this
obfuscation?), fix your DNS server.

| How can I stop this please?


Stop what? You can refuse connections from abusive netblocks in your
acl_smtp_connect ACL. To avoid logging unsuccessfull reverse DNS
lookups, "log_selector = -host_lookup_failed". To avoid doing
reverse DNS lookups in the first placce, RTFM $sender_host_name.

| How can they cause a
| lookup for com529.venusdrive.com but the message is
| "no IP address found for host some.host.biz"?


In most cases, exim does a "reverse lookup" (PTR record) of the
connecting IP address, then does a "forward lookup" (A record) on the
resulting names (if it gets any) to make sure at least one of them
matches the original IP.

If the second lookup fails, that is the connecting IP address has a
PTR name that does not in turn own an A record with the same IP, you
get this log message. For the IP you show, you shouldn't be getting
it because there is no PTR record. You should be getting something
like "No hostname found for IP address ...".

The name the connecting host HELOs with (com529.venusdrive.com in
your example) isn't involved.

| I had turned off "!sender = verify" in the RCPT acls a
| few years ago.


WHY?

| Would turning that back on solve the
| problem.


It will be a cheap way to reject a lot of spam, but it probably won't
affect the log lines you are seeing. It will do so only if the
hostname lookup is triggered only by something later in your ACLs.

| It seems to be swamping the system and
| causing memory problems.


Maybe, but I doubt it. What makes you think so?

- Fred