Our school has recently been contacted by SpamHaus b/c we are making too
/soo many queries.
After thinking about things and looking at the offenders that keep
coming back time and time again only to be rejected..
I came up with a simple ratelimit in acl_check_connect:
190 deny
191 ratelimit = 3 / 1m / strict
192 message = Sorry, not fast enough for you. Try again later.
[$sender_rate/$sender_rate_period]
193 log_message = RATE: $sender_rate/$sender_rate_period (max
$sender_rate_limit)
This is what its catching..
grep RATE /var/log/exim/mainlog | cut -f3 -d\[ | cut -f1 -d\] | sort |
uniq -c | sort
(heres the over 200 offenders..)
201 118.69.170.90
204 123.18.170.173
206 85.105.247.43
208 117.0.155.111
208 88.224.84.103
210 123.18.85.6
217 78.171.137.27
225 123.22.119.231
242 123.19.1.197
248 123.18.243.35
316 118.71.112.87
2009-04-03 01:09:56 [85437] H=[118.71.112.87]:21151 I=[a.b.c.d]:25
rejected connection in "connect" ACL: RATE: 199.1/1m (max 3)
2009-04-03 01:09:56 [1430] H=[118.71.112.87]:21153 I=[a.b.c.d]:25
rejected connection in "connect" ACL: RATE: 199.9/1m (max 3)
so, is there a way that I can make a ratelimit acl if your ip is found
on a dnsbl?
does that make sense?
Or is this acl_check_connect good enough?
