Re: [exim] automatically blacklisting clients that fail SMTP…

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] automatically blacklisting clients that fail SMTPauthentication
Lena@??? wrote:
>> From: lee<lee@???>
>
>> is it possible to automatically blacklist clients that repeatedly fail
>> SMTP authentication?
>
>> Exim dropped the connections after so many failed non-mail commands:
>
> Not many: default for smtp_accept_max_nonmail is 10.
>
>> What I have in mind is to simply have exim deny connections (or all
>> auth attempts) from the IP in question after the authentication failed
>> so many times --- perhaps that?s a feature already built in?
>>
>> If it?s not a built-in feature, perhaps I can make it so that exim
>> appends the IPs in question to some file which is used for a
>> blacklist.
>
> LIM = 100
> PERIOD = 1h
> WARNTO = abuse@???
> EXIMBINARY = /usr/local/sbin/exim -f root
> SHELL = /bin/sh
> ...
> begin acl
> acl_check_auth:
>    drop  message = authentication is allowed only once per message in order \
>                    to slow down bruteforce cracking
>          set acl_m_auth = ${eval10:0$acl_m_auth+1}
>          condition = ${if>{$acl_m_auth}{2}}
>          delay = 22s

>
>    drop  message = blacklisted for bruteforce cracking attempt
>          set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
>          condition = ${if>{$acl_c_authnomail}{4}}
>          continue = ${run{SHELL -c "echo $sender_host_address \
>             >>$spool_directory/blocked_IPs; \
>             \N{\N echo Subject: $sender_host_address blocked; echo; echo \
>             for bruteforce auth cracking attempt.; \
>             \N}\N | EXIMBINARY WARNTO"}}

>
>    accept

>
> acl_check_mail:
>    accept set acl_c_authnomail = 0

>
> acl_check_connect:
> ...
>    drop  message = $sender_host_address locally blacklisted for a bruteforce \
>                    auth (login+password) cracking attempt
>          condition = ${if exists{$spool_directory/blocked_IPs}}
>          condition = ${lookup{$sender_host_address}lsearch\
>                      {$spool_directory/blocked_IPs}{1}{0}}

>
>    accept

>
> acl_check_quit:
>    warn  condition = ${if def:authentication_failed}
>          condition = $authentication_failed
>          logwrite = :reject: quit after authentication failed: \
>                              ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
>          ratelimit = 7 / 5m / strict / per_conn
>          continue = ${run{SHELL -c "echo $sender_host_address \
>             >>$spool_directory/blocked_IPs; \
>             \N{\N echo Subject: $sender_host_address blocked; echo; echo \
>             for bruteforce auth cracking attempt.; \
>             \N}\N | EXIMBINARY WARNTO"}}

>
> acl_check_notquit:
>    warn  condition = ${if def:authentication_failed}
>          condition = $authentication_failed
>          logwrite = :reject: $smtp_notquit_reason after authentication failed: \
>                              ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}

>
> acl_check_rcpt:
> ...
>    accept hosts = !@[] : +relay_from_hosts
>          set acl_m_user = $sender_host_address
>              # or an userid from RADIUS
>          condition = ${if exists{$spool_directory/blocked_relay_users}}
>          condition = ${lookup{$acl_m_user}lsearch\
>                      {$spool_directory/blocked_relay_users}{1}{0}}
>          control = freeze/no_tell
>          add_header = X-Relayed-From: $acl_m_user

>
>    accept hosts = !@[] : +relay_from_hosts
>          !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
>          ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
>          continue = ${run{SHELL -c "echo $acl_m_user \
>             >>$spool_directory/blocked_relay_users; \
>             \N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
>             because has sent mail to LIM invalid recipients during PERIOD.; \
>             \N}\N | EXIMBINARY WARNTO"}}
>          control = freeze/no_tell
>          add_header = X-Relayed-From: $acl_m_user

>
>    accept  hosts         = +relay_from_hosts
>            control       = submission/domain=

>
>    accept authenticated = *
>          set acl_m_user = $authenticated_id
> # in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
>          condition = ${if exists{$spool_directory/blocked_authenticated_users}}
>          condition = ${lookup{$acl_m_user}lsearch\
>                      {$spool_directory/blocked_authenticated_users}{1}{0}}
>          control = freeze/no_tell
>          add_header = X-Authenticated-As: $acl_m_user

>
>    accept authenticated = *
>          !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
>          ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
>          continue = ${run{SHELL -c "echo $acl_m_user \
>             >>$spool_directory/blocked_authenticated_users; \
>             \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
>             has sent mail to LIM invalid recipients during PERIOD.; \
>             \N}\N | EXIMBINARY WARNTO"}}
>          control = freeze/no_tell
>          add_header = X-Authenticated-As: $acl_m_user

>
>    accept authenticated = *
>          condition = ${if !={$received_port}{25}}
>          control = submission/domain=
> ...

>
> The checks in rcpt - for spamming from trojaned windozes in LAN and
> using passwords stolen with trojans. The check is based on the fact
> that lists of email addresses spammers send to contain very many
> non-existent addresses.
>


Lena,

Clever!

But it begs a question:

IF 'in LAN' really does mean 'Local...' and taking as a given that
protecting WinDoze from infection is not possible and never will be,

- could you instead operate internally on ONLY a non-standard submission
port and protocol such that 'house configured' MTA would work, but bots
assuming 25, 465, 587 and their respective protocols would not even FIND
the 'real' submission port? (and could be tarpitted on internal-IP
ports 25 & 587.

NB: We use port 24 for our own internals in a like manner, but also
enjoy the privilege of not supporting any WinBoxen...

Bill


--
韓家標