On 13 February 2011 19:53, Matthias-Christian Ott <ott@???> wrote:
> On Mon, Feb 14, 2011 at 06:43:40AM +1300, Jim Cheetham wrote:
>> On 14/02/11 05:53, Matthias-Christian Ott wrote:
>> > Do you have any advice for what I should do additionally to ensure that
>> > this configuration mistake has no further consequences (like being
>> > blacklisted, rejected etc.)?
>>
>> Not quite what you want, but identify the IP addresses used by the bots,
>> and blacklist them permanently at the edge of your network; they will
>> not stop trying to send mail through your server, even if all subsequent
>> attempts fail. You have better things to do than reject their messages
>> with the MTA.
>
> The problem is that the bots IP addresses come from dynamic address
> pools and are changing.
>
Hi
I do not accept unauthenticated mail from dynamic ranges. Period.
Saved me around 80% in in-coming SPAM by activating this:
# Deny email from Dynamic IP ranges (ADSL and the like)
deny message = Sorry - NO email accepted from dynamic IP ranges :
DNSBL listed at $dnslist_domain\n$dnslist_text
dnslists = dul.dnsbl.sorbs.net : \
zen.spamhaus.org
delay = 3m
log_message = DENY : Mail not accepted from dynamic IP ranges
!sender_domains = lsearch;/etc/exim4/exim-domain_whitelist
Also added a check for multiple bounces notifications per connection:
# Legitimate bounces are never sent to more than one recipient
deny condition = $recipients_count
message = Legitimate bounces are never sent to more than one recipient.
senders = : postmaster@*
Then I tar-pit any dictionary attacks (multiple connections trying to
guess email addresses) :
# Anti-dictionary attack. See http://www.configserver.com/free/eximdeny.html
# for a more intelligent method
# If more than 4 unkown recipients are received within a single connection
# It is more than like spammers fishing by trying a dictionary of localparts
deny condition = ${if >{$rcpt_fail_count}{3} {1}{0}}
domains = +local_domains
message = Multiple unknown users - Suspected dictionary attack.
log_message = DENY : Multiple unknown users ($rcpt_fail_count) -
Suspected dictionary attack.
!verify = recipient
delay = ${eval:30*$rcpt_fail_count}s
These have helped me. They are old configs I found when I got flooded
by SPAM from dynamic ranges a few years ago so I am sure there are
more efficient ways of doing it but this works.
R e g a r d s
M i c h a e l L G r i f f i n
Please consider the environment before printing this email
He who play in root,
eventually kill tree.
