On Wed, Jan 8, 2014 at 4:17 AM, <Lena@???> wrote:
>
>> This mail is sent by some users which mail id was got compromised.
>
> If the spam was sent to your server via SMTP using passwords stolen from
> your users then use this: https://github.com/Exim/exim/wiki/BlockCracking
Lena, exim 4.82 contains a new expansion $authenticated_fail_id which
you might be able to use in your smtp_quit and smtp_not_quit ACL's to
further refine which connections get used as input to the blocking
logic. I have slightly modified your ACL in this manner:
warn condition = ${if def:authentication_failed}
condition = $authentication_failed
condition = ${if def:authenticated_fail_id}
condition = ${perl{is_using_diff_password}{$acl_c_pwhash}}
logwrite = $smtp_notquit_reason after authentication failed: \
${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}\
$authenticated_fail_id
condition = ${if eq{$smtp_notquit_reason}{connection-lost}}
ratelimit = BRUTEFORCE_LIMIT / BRUTEFORCE_PERIOD /
strict / per_conn
continue = ${run{SHELL -c "echo $sender_host_address:
$tod_full >>BRUTEFORCE_IPS "}}
logwrite = :main,reject: Added $sender_host_address to
blacklist for bruteforcing passwords
There are actually three changes that are made above to your code:
1) condition = ${if def:authenticated_fail_id}
2) condition = ${perl{is_using_diff_password}{$acl_c_pwhash}}
3) Added "$authenticated_fail_id" to the logwrite commands
Item #1 handles a common false-positive case we have, where (all of) a
small office with 5 or 6 machines behind a simple Linksys/DLink/Netger
router gets blocked when one device tries to use our mail servers as a
relay without a username defined.
Item #2 handles a second common false-postive case we have where (all
of) the office is blocked if one person's computer has a password
wrong on only 1 mailbox. It is a collection of perl subs which
compares a hash of the password if they are using PLAIN authentication
(doesn't work for LOGIN auth since the password is not available in
$smtp_command at the time this is checked). The bruteforce check is
allowed to continue only if the password is different from previous
passwords submitted. If LOGIN is used, the perl sub can't tell if if
it's different and also lets the bruteforce test continue.
The above ACL modifications result in output such as this:
Feb 3 15:41:24 ivwm53 exim[30857]: 2014-02-03 15:41:24
connection-lost after authentication failed: [198.13.98.125]
(helo=ntm) (set_id=user1@???)
Feb 3 15:44:59 ivwm52 exim[20378]: 2014-02-03 15:44:59
connection-lost after authentication failed:
modemcable138.13-37-24.static.videotron.ca ([24.37.13.138]
helo=ylmf-pc) (set_id=user2@???)
...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine
