Re: [exim] Exim 4.68 defeats spammers!

Mark Rigby-Jones wrote:
> On 31 Aug 2007, at 13:44, Chris Edwards wrote:
>
>> Do you find the same zombie IPs re-connecting sufficiently often to
>> make this worthwhile ? Or is there an effectively infinite pool of
>> zombies, each only connecting once ?
>>
>
> In this particular case, they were - in fact they were even opening
> multiple simultaneous connections (until I dropped
> smtp_accept_max_per_host from 4 to 1 for off-net hosts) and re-
> connecting quite aggressively each time a connection was timed out.
> This, from numerous (dozens, certainly) different IP addresses to
> multiple mail servers on our side. After I made those changes, the
> number of concurrent connections began to drop down from being nailed
> up to the limit as it had been since the attack started, allowing
> legitimate emails to get through.
>
> That said, it does seem a rather ineffective way to send spam - very
> few of the connections got as far as even attempting to send a
> message, certainly no more than one or two per hour, per attacking
> IP. Hopefully they'll stop using that particular code when it proves
> to be unprofitable (although I can assure you that I'd prefer a much
> worse fate for the spammers than mere lack of profit...)
>
> mrj
>

One thing you can do is create a fake highest numbered MX that always
returns DEFER that that will get rid of a lot of bot spam and lower your
connection count. Bit spam tends to start at the highest MX and doesn't
retry.