On 30 Aug 2007, at 14:49, Philip Hazel wrote:
> I have just put Exim release 4.68 on the primary ftp site:
...
> This release contains a number of new features
Talk about a new release arriving just in the nick of time! Two of
those new features combined to help solve a problem I was having
yesterday afternoon. Allow me to explain:
Briefly, we were having an issue with a spam attack from (presumably)
a zombie network, but to add to the fun the vast majority of the spam
connections were sitting doing nothing until exim timed them out
while waiting for a command. Even after reducing
smtp_receive_timeout, this was filling up the connection pool and
stopping a lot of legitimate email coming in.
Using the new acl_smtp_notquit, these timed-out connections can now
be flagged for rate-limiting (this rule also catches connections with
too many invalid commands):
acl_notquit:
# Allow anything that's authenticated, from our networks or to
submit port
accept authenticated = *
accept hosts = +relay_hosts
accept condition = ${if eq {$interface_port}{587}
{yes}{no}}
# Rate-limit suspicious connections
warn condition = ${if match {$smtp_notquit_reason}
{command} \
{yes}{no} }
logwrite = RATELIMIT ${sender_host_address}: \
$smtp_notquit_reason
ratelimit = 1 / 1h / per_conn
And the new noupdate option to ratelimit means that I can rate-limit
all connections based only on the "bad" ones (the rate-limiting DB is
checked for every new connection, but only updated by other ACL's
when bad behaviour is detected):
acl_connect:
...
# Defer connections from ratelimited hosts
defer message = Busy now, please try again later
log_message = Host is ratelimited
ratelimit = 1 / 1h / per_conn / noupdate
As the spammers appeared to be doing a dictionary attack one one
specific domain, I also flagged connections which had unknown
recipients at that domain to be rate-limited (the rule shown happens
after all legitimate connections/addresses have been accepted):
acl_rcpt:
...
# Rate-limit rejected recipients for certain domains
warn domains = /etc/mail/spam/target_domains
logwrite = RATELIMIT ${sender_host_address}: \
${local_part}@${domain}
ratelimit = 1 / 1h / per_conn
Hopefully this will be of some use if other folks suffer a similar
attack - although if anyone has other/better ways of dealing with
them, I'd love to hear those too!
mrj
--
Mark Rigby-Jones, System Operations Manager
CI-Net, Network House, Langford Locks, Kidlington, OX5 1GA
CI-Net is the trading name for Community Internet plc
A company registered in England and Wales number 3155758
t: 01865 856009 m: 07747 862201 e: mark.rigby-jones@???
w:
www.ci-net.com
