Re: [exim] increase in smtp concurrency

Top Page
Delete this message
Reply to this message
Author: Marc Perkel
Date:  
To: Ted Cooper
CC: exim-users, Chris Edwards
Subject: Re: [exim] increase in smtp concurrency


Ted Cooper wrote:
> Chris Edwards wrote:
>
>> Anyone else noticing more concurrent incoming SMTP connections in last
>> couple of weeks ?
>>
>> Chances are it's a buggy botnet, and has been discussed in various places
>> including:
>>
>>    http://blogs.msdn.com/tzink/archive/2007/09/01/new-spamming-tactic.aspx

>>
>> and I'm guessing is responsible for the recent "smtp_reserve_hosts" thread
>> on exim-users.
>>
>> Suggestions seem to include lowering timeouts - which seems likely to
>> break legit things.
>>
>> Perhaps it's time to switch our DNSBL etc tests from "deny" to "drop" mode.
>> Is there any obvious downside to this ? Do most folk use drop already ?
>>
>
> I too have noticed more bots doing this kind of behaviour and am
> currently trying to figure a neat and easy way to only allow a single
> connection from any 1 IP address over separate servers.
> A few legitimate servers also connect multiple times so I'm at loss as
> to whether this is a good idea or not.
> The bots connecting to my servers haven't been hanging around and
> wasting connections though, they've just been dropping connection as
> soon as they get the defer from the greylist.
> Changing the DNSBL verb from deny to drop may cause the bots to attempt
> the connection again, but this will depend on the bot. Some of them try
> again even with a deny, others try once and never come back again.
>
> Ted.
>
>


Just wondering something. I'm using the new NOTQUIT acl and looking at
connections that don't use quit. I'm wondering if the failure to quit
might be used as a spam indicator. Not as an absolute indicator, but
just in general. Just thinking out loud here. Always looking for a spam
indicator.