P.S.
> From: Todd Lyons
> > How to block stolen passwords automatically:
> > https://github.com/Exim/exim/wiki/BlockCracking
>
> Lena, one corner case of this is when a legitimate user has one device
> with the wrong password. Picture a typical small office where two or
> three people using a small NAT router to connect to their business
> class DSL. One person changes their password and they fix it on their
> iphone because they have to leave to go do something. They leave.
> Their outlook is still open on their computer and someone comes by to
> check something in the email. Outlook doesn't seem to be working
> right so they hit the Send/Receive button multiple times. On the exim
> server, the limit for bad user/pass combination gets hit and the ip
> gets added to the blacklist. Now the whole office is blocked from
> sending email.
>
> I'd like to ponder if there is a way to detect that the same incorrect
> password is being sent over and over (indicating a misconfigured
> device) as opposed to random passwords (indicating brute forcing). To
> my knowledge the actual password nor a hash of it is not made
> available anywhere except to the authenticator section. Can you dream
> up any sequence that could be used to capture a hash of that password,
> store it, and then use it to compare subsequent attempts?
OK, untested changes for my code
https://github.com/Exim/exim/wiki/BlockCracking :
1. Replacement for "accept" at the end of acl_check_auth:
accept set acl_c_authhash = ${if match{$smtp_command_argument}\
{\N(?i)^(?:plain|login) (.+)$\N}{${nhash_1000:$1}}}
2. Replacement for entire acl_check_quit:
warn condition = ${if def:authentication_failed}
condition = $authentication_failed
condition = ${if def:acl_c_authhash}
ratelimit = 7 / 5m / strict / $sender_host_address-$acl_c_authhash
warn condition = ${if def:authentication_failed}
condition = $authentication_failed
condition = ${if def:acl_c_authhash}
set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}}
warn condition = ${if def:authentication_failed}
condition = $authentication_failed
logwrite = :reject: quit after authentication failed: \
${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
ratelimit = 7 / 5m / strict / per_conn
condition = ${if or{\
{!def:acl_c_authhash}\
{<{$acl_c_hashrate}{2}}\
}}
continue = ${run{SHELL -c "echo $sender_host_address \
>>$spool_directory/blocked_IPs; \
\N{\N echo Subject: $sender_host_address blocked; echo; echo \
for bruteforce auth cracking attempt.; \
\N}\N | EXIMBINARY WARNTO"}}
> From: Cyborg
> That will block most customers, who try to send valid newsletters :)
> 10% or more of the address database of those newslettersenders is
> invalid and old addresses.
Do those customers/senders ignore bounces?
