I can see every day in the exim_mainlog that someone tries to authenticate on
my system, with invalid usernames and (of course!) passwords.
I know for sure, that this is an attack.
Now I'd like to write a little system to deny the connection for the hosts
that tried to attack me.
To implement this daemon is very simple, maybe directly in the ACL for
HELO/EHLO.
But I need to save in a DB (in real time, of course!) the IPs of the hosts
that attack me...
I'm sure, Exim can do some actions when the authentication fails and my idea
was to call a PERL script that count the fails for the IP and, when they
reach a value, inserts the IP in my Blacklist.
Now the problem: I have no idea WHICH Exim-ACL will be called after the auth
process...
