Re: [exim] automatically blacklisting clients that fail SMTP…

Top Page
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Subject: Re: [exim] automatically blacklisting clients that fail SMTP authentication
> From: lee <lee@???>

> is it possible to automatically blacklist clients that repeatedly fail
> SMTP authentication?


> Exim dropped the connections after so many failed non-mail commands:


Not many: default for smtp_accept_max_nonmail is 10.

> What I have in mind is to simply have exim deny connections (or all
> auth attempts) from the IP in question after the authentication failed
> so many times --- perhaps that?s a feature already built in?
>
> If it?s not a built-in feature, perhaps I can make it so that exim
> appends the IPs in question to some file which is used for a
> blacklist.


LIM = 100
PERIOD = 1h
WARNTO = abuse@???
EXIMBINARY = /usr/local/sbin/exim -f root
SHELL = /bin/sh
...
begin acl
acl_check_auth:
  drop  message = authentication is allowed only once per message in order \
                  to slow down bruteforce cracking
        set acl_m_auth = ${eval10:0$acl_m_auth+1}
        condition = ${if >{$acl_m_auth}{2}}
        delay = 22s


  drop  message = blacklisted for bruteforce cracking attempt
        set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
        condition = ${if >{$acl_c_authnomail}{4}}
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N echo Subject: $sender_host_address blocked; echo; echo \
           for bruteforce auth cracking attempt.; \
           \N}\N | EXIMBINARY WARNTO"}}


accept

acl_check_mail:
accept set acl_c_authnomail = 0

acl_check_connect:
...
  drop  message = $sender_host_address locally blacklisted for a bruteforce \
                  auth (login+password) cracking attempt
        condition = ${if exists{$spool_directory/blocked_IPs}}
        condition = ${lookup{$sender_host_address}lsearch\
                    {$spool_directory/blocked_IPs}{1}{0}}


accept

acl_check_quit:
  warn  condition = ${if def:authentication_failed}
        condition = $authentication_failed
        logwrite = :reject: quit after authentication failed: \
                            ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
        ratelimit = 7 / 5m / strict / per_conn
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N echo Subject: $sender_host_address blocked; echo; echo \
           for bruteforce auth cracking attempt.; \
           \N}\N | EXIMBINARY WARNTO"}}


acl_check_notquit:
  warn  condition = ${if def:authentication_failed}
        condition = $authentication_failed
        logwrite = :reject: $smtp_notquit_reason after authentication failed: \
                            ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}


acl_check_rcpt:
...
  accept hosts = !@[] : +relay_from_hosts
        set acl_m_user = $sender_host_address
             # or an userid from RADIUS
        condition = ${if exists{$spool_directory/blocked_relay_users}}
        condition = ${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_relay_users}{1}{0}}
        control = freeze/no_tell
        add_header = X-Relayed-From: $acl_m_user


  accept hosts = !@[] : +relay_from_hosts
        !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
        ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_relay_users; \
           \N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
           because has sent mail to LIM invalid recipients during PERIOD.; \
           \N}\N | EXIMBINARY WARNTO"}}
        control = freeze/no_tell
        add_header = X-Relayed-From: $acl_m_user


  accept  hosts         = +relay_from_hosts
          control       = submission/domain=


  accept authenticated = *
        set acl_m_user = $authenticated_id
# in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
        condition = ${if exists{$spool_directory/blocked_authenticated_users}}
        condition = ${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_authenticated_users}{1}{0}}
        control = freeze/no_tell
        add_header = X-Authenticated-As: $acl_m_user


  accept authenticated = *
        !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
        ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_authenticated_users; \
           \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
           has sent mail to LIM invalid recipients during PERIOD.; \
           \N}\N | EXIMBINARY WARNTO"}}
        control = freeze/no_tell
        add_header = X-Authenticated-As: $acl_m_user


  accept authenticated = *
        condition = ${if !={$received_port}{25}}
        control = submission/domain=
...


The checks in rcpt - for spamming from trojaned windozes in LAN and
using passwords stolen with trojans. The check is based on the fact
that lists of email addresses spammers send to contain very many
non-existent addresses.