W B Hacker wrote:
> B. Cook wrote:
>> Our school has recently been contacted by SpamHaus b/c we are making too
>> /soo many queries.
>>
>> After thinking about things and looking at the offenders that keep
>> coming back time and time again only to be rejected..
>>
>> I came up with a simple ratelimit in acl_check_connect:
>>
>> 190 deny
>> 191 ratelimit = 3 / 1m / strict
>> 192 message = Sorry, not fast enough for you. Try again later.
>> [$sender_rate/$sender_rate_period]
>> 193 log_message = RATE: $sender_rate/$sender_rate_period (max
>> $sender_rate_limit)
>>
>>
>> This is what its catching..
>> grep RATE /var/log/exim/mainlog | cut -f3 -d\[ | cut -f1 -d\] | sort |
>> uniq -c | sort
>>
>> (heres the over 200 offenders..)
>>
>> 201 118.69.170.90
>> 204 123.18.170.173
>> 206 85.105.247.43
>> 208 117.0.155.111
>> 208 88.224.84.103
>> 210 123.18.85.6
>> 217 78.171.137.27
>> 225 123.22.119.231
>> 242 123.19.1.197
>> 248 123.18.243.35
>> 316 118.71.112.87
>>
>> 2009-04-03 01:09:56 [85437] H=[118.71.112.87]:21151 I=[a.b.c.d]:25
>> rejected connection in "connect" ACL: RATE: 199.1/1m (max 3)
>>
>> 2009-04-03 01:09:56 [1430] H=[118.71.112.87]:21153 I=[a.b.c.d]:25
>> rejected connection in "connect" ACL: RATE: 199.9/1m (max 3)
>>
>> so, is there a way that I can make a ratelimit acl if your ip is found
>> on a dnsbl?
>>
>> does that make sense?
>>
>> Or is this acl_check_connect good enough?
>>
>>
>
> Are you expecting them to change their behaviour?
>
> Seems to me asking Exim to 'ratelimit' a known-chronic-offender is a
> waste of resources.
>
> Why not capture the offending IP on first hit, add it to a DB/file, use
> it to reject immediate in acl_smtp_connect with lower resource load?
>
> NB: We do the same at later stages for REGEXP match on the domain.tld
> and/or HELO string of chronic / known-bad arrivals.
>
> For *serious* offenders - the 'born to spam' networks, we do a bit of
> research to see if we have *ever* had even one legit arrival, otherwise
> add the whole netblock to the ipfw or pf block rules.
>
> The combo makes for a major reduction in RBL callouts, and the DB/tables
> are easily ported to our other MTA.
>
> CAVEAT: You may want to expire entries after a reasonable time.
> 'Reasonable time' here being measured in years, not months...
>
> ;-)
>
> Bill
>
>
>
>
Yes that would be ideal, Is there a way to get exim to add something to
spamdb and/or pf block list until spamdb can be rebuilt..
How can I make exim "do something" (outside of exim) when "something
happens" (inside exim)?
I didn't think that was possible w/ exim.. but it sounds like you are
speaking as if you are doing it/have done it.
:)
