Author: Tom Ray [Lists] Date: To: Wouter Verhelst CC: Exim-Users ML Subject: Re: [exim] Help, Please.
Wouter Verhelst wrote: > On Thu, Jul 26, 2007 at 12:17:22PM -0400, Tom Ray [Lists] wrote:
>
>> My mail server is being over run and it's causing some real issues. I'm
>> not really sure how to stop it, I'll be the first to admit that my
>> skills with Exim are about an intermediate level so any help with this
>> would be great.
>>
>> Basically this is what I am getting in my log:
>>
>> 2007-07-26 11:57:45 lowest numbered MX record points to local host:
>> mymsviews.com (while verifying <odyl@???> from host
>> (mail.fcpp.org) [64.201.170.253])
>> 2007-07-26 11:57:45 H=(mail.fcpp.org) [64.201.170.253] F=<> temporarily
>> rejected RCPT <odyl@???>: lowest numbered MX record points to
>> local host
>>
> [...]
>
> It already blocks that; as soon as it detects that the reverse lookup is
> fishy, the mail is temprejected. Permanently rejecting a mail at that
> point would seem to be a bad idea, since it might be a genuine
> configuration mistake. Also, spammers don't really care whether you send
> 4xx or a 5xx, so permanently rejecting them at that point won't really
> help.
>
>
>> It's basically the same thing over and over again just from a pile of
>> different hosts and IPs. Is there anything I can do to make this stop? I
>> can block IP's but there's just to much to keep up with.
>>
>
> Use a DNSBL to block hosts. There are some examples of how to do this in
> the default exim config file.
>
> You could write a script to parse your mainlog, store the fishy IP
> addresses somewhere that you can do a lookup to from exim, and then
> block that from an ACL somewhere. That's really the same thing as the
> DNSBL solution, except that it's slightly more tailored to your server
> and not even remotely the same amount of blocked IP addresses.
>
> If you're going to do either of the above unconditionally for every
> connecting IP address, it makes sense to do that in the acl_smtp_helo
> ACL.
>
> If you're suffering from load issues, check out the "queue_only_load",
> "deliver_queue_load_max", and "smtp_load_reserve" configuration options.
> With those, you can do things like accept mail, but hold it on the queue
> rather than delivering it immediately. This will slightly delay your
> mails, but it's often better to delay mail by putting it on the queue
> than it is to delay mail by sending a "I'm overloaded, please try again
> later" 4xx reply or (even worse), timing out the connection.
>
> Thanks for the advice, I was just reading up on those. I'm going to try
some things in the conf file.