Re: [exim] open relay aftermath

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] open relay aftermath
Matthias-Christian Ott wrote:
> On Mon, Feb 14, 2011 at 06:43:40AM +1300, Jim Cheetham wrote:
>> On 14/02/11 05:53, Matthias-Christian Ott wrote:
>>> Do you have any advice for what I should do additionally to ensure that
>>> this configuration mistake has no further consequences (like being
>>> blacklisted, rejected etc.)?
>>
>> Not quite what you want, but identify the IP addresses used by the bots,
>> and blacklist them permanently at the edge of your network; they will
>> not stop trying to send mail through your server, even if all subsequent
>> attempts fail. You have better things to do than reject their messages
>> with the MTA.
>
> The problem is that the bots IP addresses come from dynamic address
> pools and are changing.
>
> Regards,
> Matthias-Christian
>


Changing YOUR servers to new IP won't really make much difference. They'll find
anything with port 25 listening.

However..

If the bots are coming from dynamic address IP pools, there is no reason to
allow them to survive acl_smtp_connect.

- Exim's rDNS check will reject those intelligently, ie w/o false positives, and
leave you with only connections from valid mailservers with proper DNS credentials.

Some of those still send UCE, but nothing like botnets. Nowhere close.

- and/or run a check against SORBS or similar Dynamic-IP lists, see:

http://en.wikipedia.org/wiki/Spam_and_Open_Relay_Blocking_System

You may need a whitelist to exempt a few folks, but ordinarily it will be a very
small list - MUCH smaller than a blacklist. Typically 16 to 32 such here.

HTH,

Bill Hacker