Re: [exim] Sender callout verification on BATV signed addres…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MDavid Saez Padros at <-
MDavid Saez Padros at ->
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Sender callout verification on BATV signed addresses
David Saez Padros wrote:
> Hi
>
>> On Thu, May 14, 2009 at 5:15 AM, David Saez Padros <david@???> wrote:
>>> we do really very few callouts, zoombies get detected before
>>> reaching the callout check so we almost do not do callouts for
>>> mail comming from non real servers, and for real servers without
>> Care to elaborate on how you do the zombie detection? I assume, like
>> everything nowadays, it's not one simple rule, but a combination of
>> several things all at once?
>
> This works quite well:
>

Not for very long ... see below..

> acl_smtp_notquit:
> 
>    # avoid blacklist whitelisted hosts
>    accept condition      = ${if eq {$acl_c2}{4}}

> 
>    warn   condition      = ${if eq {$smtp_notquit_reason}{connection-lost}}
>           condition      = ${if >= {$rcpt_fail_count}{1}}
>           logwrite       = :panic: OLS_BLACKLIST $sender_host_address

> 
>    warn   condition      = ${if eq {$smtp_notquit_reason}{connection-lost}}
>           condition      = ${if >= {$rcpt_defer_count}{1}}
>           logwrite       = :panic: OLS_BLACKLIST $sender_host_address

> 
>    warn   condition      = ${if eq 
> {$smtp_notquit_reason}{synchronization-error}}
>           logwrite       = :panic: OLS_BLACKLIST $sender_host_address

>
> you need to read paniclog, extract lines with OLS_BLACKLIST and
> blacklist the found ip addresses
>

BTDT,GTTS.

Inserting them into a PostgreSQL table makes it easier to manage duplicates.

But around 956,342 entries realized the 'bots had a finite, but far larger yet
number of possible IP available to them, and it had become a fool's errand to
try to blacklist them in that manner.

To much load on local resources. Computer OR your own..

When they force us to do that - they are winning.

By contrast, their inability to obtain a PTR RR *AND* matching A or MX entries
is rock-reliable with near-zero local complexity or maintenance required.

> helo.acl at http://www.ols.es/exim/acl/ works quite well
> at detecting zoombies and dialup.acl works well at detecting
> dialup zones, you could either block them all or block spf
> neutral/softfail from dialup hosts and/or gmail domain ,also
> checking common patterns (random/uppercase sender/recipient,
> etc ...)
>

require verify = reverse_host_lookup

.. or modestly more complex acl clauses that allow whitelisting etc.

.. and one has time to pursue the many things in life far more pleasant than
playing with zombified WinBoxen..

;-)

Bill



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Blocked because of a name[exim] Ordering of random vs. real sender verification callout->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)