On Wednesday, July 25, 2012 at 15:08:00 UTC, cyborg2@??? confabulated:
> Am 25.07.2012 16:33, schrieb Lena@???:
>> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
>> [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)
>> http://www.mail-archive.com/exim-users@exim.org/msg41893.html
>> or the same message:
>> https://lists.exim.org/lurker/message/20120709.132921.ccaf55b3.en.html
>>
> acl_check_auth:
> drop message = authentication is allowed only once per message in order \
> to slow down bruteforce cracking
> set acl_m_auth = ${eval10:0$acl_m_auth+1}
> condition = ${if >{$acl_m_auth}{2}}
> delay = 22s
> drop message = blacklisted for bruteforce cracking attempt
> set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
> condition = ${if >{$acl_c_authnomail}{4}}
> continue = ${run{SHELL -c "echo $sender_host_address \
> >>$spool_directory/blocked_IPs; \
> \N{\N echo Subject: $sender_host_address blocked; echo; echo \
> for bruteforce auth cracking attempt.; \
> \N}\N | EXIMBINARY WARNTO"}}
> ...
> It looks like the answere, thanks.
> If i understood it correctly, this will create a file for each blocked
> ip and check later if it exists.
Incorrect. Only one file is used. Notice the double '>>'. Each IP is
written to 'blocked_IPs'. I lookup is done somewhere else (I use the
connect ACL).
> Just for the record, if you send the ip to your firewall, you won't need
> to check for the files later.
> Each check generates unnecessary IO, hopefully in the cache, but it must
> not be cached already.
> If it's firewalled, the spammer can't dos the system with requests from
> already blocked ip's .
> If the production system has a thousand and more accouts/domains on it,
> the io part will be become
> vital . The server of my last employer was rated up to 500.000 mails a
> day by spamcop and trust me,
> you do not want to check those blocked ips with a file.exists() call :)
> Marius
--
If at first you don't succeed...
...so much for skydiving.
