Re: [exim] Must be a worm attack...

Pàgina inicial
Aquest missatge és part del següent fil:
Ml'arbre de fils complet ordenat per data
MMMarten Lehmann en <-
MDennis Davis en ->
Delete this message
Reply to this message
Autor: John Burnham
Data:  
A: Marten Lehmann, exim-users
Assumpte: Re: [exim] Must be a worm attack...
> At this time we are getting a tremendous amount of
> connections from completely different ip-addresses that try
> to send emails to recipients, that don't exist on our
> mailserver. Greylisting wouldn't help, because these
> worms/bots/whatever open several connections. I'm trying to
> put all hosts that stand out into a block lists, but that
> seems to be an infinite work.
>
> Has someone configured something like "block all hosts for x
> minutes that try to send emails to more than y not existing
> recipients" with exim?
>
Well, a starting point might be to have your acls insert the sender's IP address
into a database table if $rcpt_fail_count goes over a certain value. You can
then use that table to block those IP addresses. How you would remove them after
a certain time is left as an exercise for the reader - but would probably
involve inserting a timestamp along with the IP address and having a cron job or
similar delete rows with a timestamp over a certain age.
John


Aquest missatge es va enviar a les següents llistes de correu:
Exim-users
Informació sobre la llista de correu | Missatges propers		<-Re: [exim] return path set in transport, but it doesnt workRe: [exim] return path set in transport, but it doesnt work->
Tahini and Hummus and Cumin Development Archives administrat per cumin AdminsLurker (versió 2.3)