Re: [exim] ratelimit on dnsbl offenders?

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] ratelimit on dnsbl offenders?
B. Cook wrote:
> Our school has recently been contacted by SpamHaus b/c we are making too
> /soo many queries.
>
> After thinking about things and looking at the offenders that keep
> coming back time and time again only to be rejected..
>
> I came up with a simple ratelimit in acl_check_connect:
>
> 190 deny
> 191  ratelimit      = 3 / 1m / strict
> 192  message        = Sorry, not fast enough for you. Try again later. 
> [$sender_rate/$sender_rate_period]
> 193  log_message    = RATE: $sender_rate/$sender_rate_period (max 
> $sender_rate_limit)

>
>
> This is what its catching..
> grep RATE /var/log/exim/mainlog | cut -f3 -d\[ | cut -f1 -d\] | sort |
> uniq -c | sort
>
> (heres the over 200 offenders..)
>
> 201 118.69.170.90
> 204 123.18.170.173
> 206 85.105.247.43
> 208 117.0.155.111
> 208 88.224.84.103
> 210 123.18.85.6
> 217 78.171.137.27
> 225 123.22.119.231
> 242 123.19.1.197
> 248 123.18.243.35
> 316 118.71.112.87
>
> 2009-04-03 01:09:56 [85437] H=[118.71.112.87]:21151 I=[a.b.c.d]:25
> rejected connection in "connect" ACL: RATE: 199.1/1m (max 3)
>
> 2009-04-03 01:09:56 [1430] H=[118.71.112.87]:21153 I=[a.b.c.d]:25
> rejected connection in "connect" ACL: RATE: 199.9/1m (max 3)
>
> so, is there a way that I can make a ratelimit acl if your ip is found
> on a dnsbl?
>
> does that make sense?
>
> Or is this acl_check_connect good enough?
>
>


Are you expecting them to change their behaviour?

Seems to me asking Exim to 'ratelimit' a known-chronic-offender is a
waste of resources.

Why not capture the offending IP on first hit, add it to a DB/file, use
it to reject immediate in acl_smtp_connect with lower resource load?

NB: We do the same at later stages for REGEXP match on the domain.tld
and/or HELO string of chronic / known-bad arrivals.

For *serious* offenders - the 'born to spam' networks, we do a bit of
research to see if we have *ever* had even one legit arrival, otherwise
add the whole netblock to the ipfw or pf block rules.

The combo makes for a major reduction in RBL callouts, and the DB/tables
are easily ported to our other MTA.

CAVEAT: You may want to expire entries after a reasonable time.
'Reasonable time' here being measured in years, not months...

;-)

Bill