Tom Kistner wrote:
> I do this via a script I called "timeban". It's universal so it can be
> used for other blocking purposes as well. Handles management of a
> blocking chain. Can also manage counters per-IP so you can block IPs
> after multiple infractions ... useful for SSH dictionary "attacks" too.
OK, here's the script:
http://duncanthrax.net/timeban/timeban
Docs and config are integrated in the script itself.
To use this thing in Exim, create a macro like:
IPT_TEMP_BLACKHOLE = ${run {/usr/local/bin/timeban add \
$sender_host_address}{1}{1}}
(Note: this is an instant ban - read the timeban docs!)
There may be the problem that the Exim user can't add iptables rules.
In this case you should set up a sudo rule for /usr/local/bin/timeban.
Use the macro in appropriate positions (it always expands to '1'):
Example 1 (DATA ACL):
drop message = Spam detected ($spam_score)
condition = ${if <{$message_size}{500k}}
spam = nobody
condition = IPT_TEMP_BLACKHOLE
Example 2 (RCPT ACL):
drop message = Blacklisted sender domain
sender_domains = +envelope_domain_blacklist
condition = IPT_TEMP_BLACKHOLE
drop message = $sender_host_address blacklisted at $dnslist_domain
dnslists = list.dsbl.org:sbl-xbl.spamhaus.org
condition = IPT_TEMP_BLACKHOLE
If you want to use this outside of Exim, I have written a small
log-surfing script that can call timeban on log events. It's
undocumented FTTB, but you'll get the idea when you look at it:
http://duncanthrax.net/timeban/logexec
I wanted to add this to the Wiki as well but can't figure out how to add
a page (can't edit the front page ... hmmm :)
/tom
