Re: [exim] increase in smtp concurrency

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Ted Cooper
Date:  
À: Chris Edwards
CC: exim-users
Sujet: Re: [exim] increase in smtp concurrency
Chris Edwards wrote:
> Anyone else noticing more concurrent incoming SMTP connections in last
> couple of weeks ?
>
> Chances are it's a buggy botnet, and has been discussed in various places
> including:
>
>    http://blogs.msdn.com/tzink/archive/2007/09/01/new-spamming-tactic.aspx

>
> and I'm guessing is responsible for the recent "smtp_reserve_hosts" thread
> on exim-users.
>
> Suggestions seem to include lowering timeouts - which seems likely to
> break legit things.
>
> Perhaps it's time to switch our DNSBL etc tests from "deny" to "drop" mode.
> Is there any obvious downside to this ? Do most folk use drop already ?


I too have noticed more bots doing this kind of behaviour and am
currently trying to figure a neat and easy way to only allow a single
connection from any 1 IP address over separate servers.
A few legitimate servers also connect multiple times so I'm at loss as
to whether this is a good idea or not.
The bots connecting to my servers haven't been hanging around and
wasting connections though, they've just been dropping connection as
soon as they get the defer from the greylist.
Changing the DNSBL verb from deny to drop may cause the bots to attempt
the connection again, but this will depend on the bot. Some of them try
again even with a deny, others try once and never come back again.

Ted.

--
The Exim Manual
http://www.exim.org/docs.html
http://www.exim.org/exim-html-current/doc/html/spec_html/index.html