I had implemented the "max of 1 auth attempt per connection" some
months back when Lena posted an email to the mailing list. I always
intended to implement the second part, applying ratelimits to failed
auth attempts, add to a shared text file, and block based on lookups
to that file.
Due to a recent surge in compromised accounts getting our SMTP Auth
outbound IP on the Mailspike RBL (only that IP and only on that RBL),
I've been fighting compromised accounts sending large amounts of spam
(hitting hourly and daily limits before it gets caught). Something of
that crap is apparently hitting a Mailspike spamtrap. I decided that
today was as good a day as any to make some time and implement the
second part. It took all of 30 minutes. It has been live for 1.5
hours now and it's already blocked 10 IP's:
61.220.51.52: Thu, 06 Jun 2013 16:20:25 +0000
74.93.68.42: Thu, 06 Jun 2013 16:35:38 +0000
166.147.70.27: Thu, 06 Jun 2013 16:39:32 +0000
120.198.5.125: Thu, 06 Jun 2013 16:52:01 +0000
63.141.236.76: Thu, 06 Jun 2013 16:53:22 +0000
173.208.203.156: Thu, 06 Jun 2013 16:55:07 +0000
173.208.203.157: Thu, 06 Jun 2013 17:14:52 +0000
173.208.203.154: Thu, 06 Jun 2013 17:28:00 +0000
101.78.230.30: Thu, 06 Jun 2013 17:31:13 +0000
198.228.198.124: Thu, 06 Jun 2013 17:49:36 +0000
I just wanted to give a heart-felt thanks to Lena for submitting such
a useful piece of logic.
...Todd
On Thu, Jun 6, 2013 at 10:32 AM, Marc Perkel <marc@???> wrote:
> ok - I see it. Brain dead today.
>
>
>
> On 6/6/2013 10:15 AM, Graeme Fowler wrote:
>>
>> On 6 Jun 2013, at 17:57, Marc Perkel <marc@???> wrote:
>>>
>>> Except that it's not what I can use.
>>
>>
>> Yes, it is. It's absolutely something you can use, if you wrap your brain
>> around it and extract the right bits.
>>
>> You originally asked:
>>
>>> Is there a way for an ACL to do something on authentication failure? I'm
>>> trying to trap the IP addresses of hackers trying to guess passwords.
>>
>> and subsequently asked:
>>
>>> I need to set a variable
>>>
>>> set acl_m_auth_failed = true
>>>
>>> If authentication fails. How do I do that?
>>
>> It's pretty clear to me (having never done this at all) that everything
>> you need is in the Wiki page previously referred to. I'll give you a clue -
>> $authentication_failed. You know where to find an explanation of it.
>>
>> Graeme
>
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine
