Re: [exim] open relay aftermath

Góra strony
Delete this message
Reply to this message
Autor: Michael
Data:  
Dla: exim-users
Temat: Re: [exim] open relay aftermath
On 13 February 2011 19:53, Matthias-Christian Ott <ott@???> wrote:
> On Mon, Feb 14, 2011 at 06:43:40AM +1300, Jim Cheetham wrote:
>> On 14/02/11 05:53, Matthias-Christian Ott wrote:
>> > Do you have any advice for what I should do additionally to ensure that
>> > this configuration mistake has no further consequences (like being
>> > blacklisted, rejected etc.)?
>>
>> Not quite what you want, but identify the IP addresses used by the bots,
>> and blacklist them permanently at the edge of your network; they will
>> not stop trying to send mail through your server, even if all subsequent
>> attempts fail. You have better things to do than reject their messages
>> with the MTA.
>
> The problem is that the bots IP addresses come from dynamic address
> pools and are changing.
>


Hi

I do not accept unauthenticated mail from dynamic ranges. Period.
Saved me around 80% in in-coming SPAM by activating this:

  # Deny email from Dynamic IP ranges (ADSL and the like)
  deny   message = Sorry - NO email accepted from dynamic IP ranges :
DNSBL listed at $dnslist_domain\n$dnslist_text
        dnslists = dul.dnsbl.sorbs.net : \
                   zen.spamhaus.org
           delay = 3m
     log_message = DENY : Mail not accepted from dynamic IP ranges
   !sender_domains = lsearch;/etc/exim4/exim-domain_whitelist


Also added a check for multiple bounces notifications per connection:

# Legitimate bounces are never sent to more than one recipient
  deny condition = $recipients_count
         message = Legitimate bounces are never sent to more than one recipient.
         senders = : postmaster@*


Then I tar-pit any dictionary attacks (multiple connections trying to
guess email addresses) :

# Anti-dictionary attack.  See http://www.configserver.com/free/eximdeny.html
# for a more intelligent method
# If more than 4 unkown recipients are received within a single connection
# It is more than like spammers fishing by trying a dictionary of localparts
  deny condition = ${if >{$rcpt_fail_count}{3} {1}{0}}
         domains = +local_domains
         message = Multiple unknown users - Suspected dictionary attack.
     log_message = DENY : Multiple unknown users ($rcpt_fail_count) -
Suspected dictionary attack.
         !verify = recipient
           delay = ${eval:30*$rcpt_fail_count}s



These have helped me. They are old configs I found when I got flooded
by SPAM from dynamic ranges a few years ago so I am sure there are
more efficient ways of doing it but this works.

R e g a r d s
M i c h a e l L G r i f f i n

Please consider the environment before printing this email

He who play in root,
           eventually kill tree.