[exim] Exim 4.68 defeats spammers!

Pàgina inicial
Delete this message
Reply to this message
Autor: Mark Rigby-Jones
Data:  
A: exim-users
Assumptes vells: [exim-announce] Exim 4.68 Released
Assumpte: [exim] Exim 4.68 defeats spammers!
On 30 Aug 2007, at 14:49, Philip Hazel wrote:
> I have just put Exim release 4.68 on the primary ftp site:

...
> This release contains a number of new features


Talk about a new release arriving just in the nick of time! Two of
those new features combined to help solve a problem I was having
yesterday afternoon. Allow me to explain:

Briefly, we were having an issue with a spam attack from (presumably)
a zombie network, but to add to the fun the vast majority of the spam
connections were sitting doing nothing until exim timed them out
while waiting for a command. Even after reducing
smtp_receive_timeout, this was filling up the connection pool and
stopping a lot of legitimate email coming in.

Using the new acl_smtp_notquit, these timed-out connections can now
be flagged for rate-limiting (this rule also catches connections with
too many invalid commands):

acl_notquit:
     # Allow anything that's authenticated, from our networks or to  
submit port
     accept      authenticated   = *
     accept      hosts           = +relay_hosts
     accept      condition       = ${if eq {$interface_port}{587}  
{yes}{no}}
     # Rate-limit suspicious connections
     warn        condition       = ${if match {$smtp_notquit_reason} 
{command} \
                                   {yes}{no} }
                 logwrite        = RATELIMIT ${sender_host_address}: \
                                   $smtp_notquit_reason
                 ratelimit       = 1 / 1h / per_conn


And the new noupdate option to ratelimit means that I can rate-limit
all connections based only on the "bad" ones (the rate-limiting DB is
checked for every new connection, but only updated by other ACL's
when bad behaviour is detected):

acl_connect:
     ...
     # Defer connections from ratelimited hosts
     defer       message         = Busy now, please try again later
                 log_message     = Host is ratelimited
                 ratelimit       = 1 / 1h / per_conn / noupdate


As the spammers appeared to be doing a dictionary attack one one
specific domain, I also flagged connections which had unknown
recipients at that domain to be rate-limited (the rule shown happens
after all legitimate connections/addresses have been accepted):

acl_rcpt:
     ...
     # Rate-limit rejected recipients for certain domains
     warn        domains         = /etc/mail/spam/target_domains
                 logwrite        = RATELIMIT ${sender_host_address}: \
                                   ${local_part}@${domain}
                 ratelimit       = 1 / 1h / per_conn


Hopefully this will be of some use if other folks suffer a similar
attack - although if anyone has other/better ways of dealing with
them, I'd love to hear those too!

mrj
--
Mark Rigby-Jones, System Operations Manager
CI-Net, Network House, Langford Locks, Kidlington, OX5 1GA
CI-Net is the trading name for Community Internet plc
A company registered in England and Wales number 3155758
t: 01865 856009 m: 07747 862201 e: mark.rigby-jones@???
w: www.ci-net.com