Autor: John Burnham Data: A: Marten Lehmann, exim-users Assumpte: Re: [exim] Must be a worm attack...
> At this time we are getting a tremendous amount of > connections from completely different ip-addresses that try
> to send emails to recipients, that don't exist on our
> mailserver. Greylisting wouldn't help, because these
> worms/bots/whatever open several connections. I'm trying to
> put all hosts that stand out into a block lists, but that
> seems to be an infinite work.
>
> Has someone configured something like "block all hosts for x
> minutes that try to send emails to more than y not existing
> recipients" with exim?
> Well, a starting point might be to have your acls insert the sender's IP address
into a database table if $rcpt_fail_count goes over a certain value. You can
then use that table to block those IP addresses. How you would remove them after
a certain time is left as an exercise for the reader - but would probably
involve inserting a timestamp along with the IP address and having a cron job or
similar delete rows with a timestamp over a certain age.
John