On Tue, Feb 4, 2014 at 6:45 AM, Todd Lyons <tlyons@???> wrote:
> On Tue, Feb 4, 2014 at 5:42 AM, <Lena@???> wrote:
>>> From: Todd Lyons
>>
>>> > https://github.com/Exim/exim/wiki/BlockCracking
>>>
>>> Lena, exim 4.82 contains a new expansion $authenticated_fail_id which
>>> you might be able to use in your smtp_quit and smtp_not_quit ACL's to
>>> further refine which connections get used as input to the blocking
>>> logic.
>>
>> 4.82 has also ${acl{ expansion item. I use it in current version
>> of the code at the above URL. $authenticated_fail_id contains username only.
>> Using ${acl{ , I grab password too (in PLAIN and LOGIN authenticators).
>> So, the current version of my code can distinguish the same wrong password
>> tried multiple times (benign) from trying multiple passwords
>> for the same username (cracking attempt).
>
>> Current version of my code does all that with both PLAIN and LOGIN.
>
> Very nice, I had not checked the wiki to see if it was updated. I am
> updating my servers now!
I have slowed down and am studying it instead of rolling out changes.
You moved the shell command into different ACLs and I have to fully
grok it before I can put it on a production machine.
As usual, an excellent piece of work Lena.
...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine
