On Tue, 27 Jun 2006, Marten Lehmann wrote:
> From: Marten Lehmann <lehmann@???>
> To: exim-users@???
> Date: Tue, 27 Jun 2006 16:50:06 +0200
> Subject: [exim] Must be a worm attack...
>
> ...or something like that.
>
> At this time we are getting a tremendous amount of connections
> from completely different ip-addresses that try to send emails
> to recipients, that don't exist on our mailserver. Greylisting
> wouldn't help, because these worms/bots/whatever open several
> connections. I'm trying to put all hosts that stand out into a
> block lists, but that seems to be an infinite work.
>
> Has someone configured something like "block all hosts for x
> minutes that try to send emails to more than y not existing
> recipients" with exim?
Have a look at Tom Kistner's timeban script:
http://duncanthrax.net/timeban/timeban
and see the description in:
Message-ID: <4457BE3E.3000908@???>
Date: Tue, 02 May 2006 22:17:02 +0200
From: Tom Kistner <tom@???>
To: exim-users@???
References: <4441653C.6040203@???> <44420ADA.10208@???>
In-Reply-To: <44420ADA.10208@???>
Cc: jethro.binks@???
Subject: Re: [exim] sudo - iptables trick
which you should be able to find in the exim mailing list archives.
You may be able to adapt the above to do what you want.
I'm seeing similar shitstorms of connections. My HELO acceptance
rules are catching a lot. For example:
2006-06-27 14:03:43 H=220-130-128-65.hinet-ip.hinet.net (MOEMOE-5TTEVLXH) [220.130.128.65] I=[138.38.32.23]:25 F=<Jenny.French@???> rejected RCPT <XXXXXXXX@???>: invalid HELO syntax MOEMOE-5TTEVLXH
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@??? Phone: +44 1225 386101
