On Mon, Feb 14, 2011 at 6:41 AM, Michael <milegrin@???> wrote:
> Also added a check for multiple bounces notifications per connection:
>
> # Legitimate bounces are never sent to more than one recipient
> deny condition = $recipients_count
> message = Legitimate bounces are never sent to more than one recipient.
> senders = : postmaster@*
I don't quite get this one. This passes for 1 or more recipients,
which means you bounce any email from <> or postmaster@* with a
recipient. Wouldn't you want to sharpen the condition to only match
when it's greater than one (as opposed to greater than or equal to),
like this:
${if eq{$recipients_count}{1} {no}{yes}}
or
${eval:$recipients_count-1}
If not, why not?
> Then I tar-pit any dictionary attacks (multiple connections trying to
> guess email addresses) :
>
> # Anti-dictionary attack. See http://www.configserver.com/free/eximdeny.html
> # for a more intelligent method
> # If more than 4 unkown recipients are received within a single connection
> # It is more than like spammers fishing by trying a dictionary of localparts
> deny condition = ${if >{$rcpt_fail_count}{3} {1}{0}}
> domains = +local_domains
> message = Multiple unknown users - Suspected dictionary attack.
> log_message = DENY : Multiple unknown users ($rcpt_fail_count) -
> Suspected dictionary attack.
> !verify = recipient
> delay = ${eval:30*$rcpt_fail_count}s
That's nice, I just added that to my servers in the RCPT acl.
--
Regards... Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm. -- Marcus Aurealius
