Re: [exim] open relay aftermath

Góra strony
Delete this message
Reply to this message
Autor: Todd Lyons
Data:  
Dla: Michael
CC: exim-users
Temat: Re: [exim] open relay aftermath
On Mon, Feb 14, 2011 at 6:41 AM, Michael <milegrin@???> wrote:

> Also added a check for multiple bounces notifications per connection:
>
> # Legitimate bounces are never sent to more than one recipient
>  deny condition = $recipients_count
>         message = Legitimate bounces are never sent to more than one recipient.
>         senders = : postmaster@*


I don't quite get this one. This passes for 1 or more recipients,
which means you bounce any email from <> or postmaster@* with a
recipient. Wouldn't you want to sharpen the condition to only match
when it's greater than one (as opposed to greater than or equal to),
like this:

${if eq{$recipients_count}{1} {no}{yes}}
or
${eval:$recipients_count-1}

If not, why not?

> Then I tar-pit any dictionary attacks (multiple connections trying to
> guess email addresses) :
>
> # Anti-dictionary attack.  See http://www.configserver.com/free/eximdeny.html
> # for a more intelligent method
> # If more than 4 unkown recipients are received within a single connection
> # It is more than like spammers fishing by trying a dictionary of localparts
>  deny condition = ${if >{$rcpt_fail_count}{3} {1}{0}}
>         domains = +local_domains
>         message = Multiple unknown users - Suspected dictionary attack.
>     log_message = DENY : Multiple unknown users ($rcpt_fail_count) -
> Suspected dictionary attack.
>         !verify = recipient
>           delay = ${eval:30*$rcpt_fail_count}s


That's nice, I just added that to my servers in the RCPT acl.

--
Regards...      Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm.  -- Marcus Aurealius