Re: [exim] Drop messages at RCPT time based on IP/Subnet

Top Page
Delete this message
Reply to this message
Author: Alex
Date:  
To: exim-users
Subject: Re: [exim] Drop messages at RCPT time based on IP/Subnet
Hi Ted,

Didn't know about iplsearch, that's neat. I guess the drawback with
dnsbl is that it's not very granular with the choice of blocking ip
addresses. I cant really block say a /28 for example. Your approach
would be much better for this. At the moment with the dnsbl I am stuck
with knocking out a single IP, a /24 or /16 or /8 (cant imagine EVER
knocking out a /8, that's just insane).

Is there an iplsearch equivalent that can do MySQL table lookups? I am
really trying to shift away from flat files where possible and have
everything in one central database.

For the moment DNSbl seems to be working a treat, the same clowns who
are slipping through the cracks got an unexpected surprise this morning
during their usual spam run (I have fail2ban also setup which monitors
the exim rejectlog for the string which matches a connect reject due to
dnsbl listing then firewalls out the IP for a few hours (stops them
trying again and again and again and again and again)). Quite hilarious.
I am literally sitting here laughing whilst watching the reject log. One
small battle against the sneaky spammers where I am winning.

Thank to all who have responded so far. It's good to know there are
other alternatives.

Cheers,
Alex.


On 2014-08-16 09:49, Ted Cooper wrote:
> (oops, I sent this previously to the list with the wrong from address
> ..
> I'm guessing it is stuck in the moderation queue. Sorry mods!)
>
> Your dnsbl, as written, will block 21.231.0.0/16. After looking at the
> networks included though ... yeah, probably fine.
>
> What you are trying to do is also achievable with iplsearch. I have
> numerous of these to change behaviour depending on sending host.
>
> Somewhere relevant in your ACLs: (You appear to want to use connect - I
> usually put them in RCPT TO ACl so that I can see who they are trying
> to
> send to)
>
> deny message = No Thanks - Tired of the spam from your host/network
>      condition =
> ${lookup{$sender_host_address}iplsearch{/PATH/TO/FILE}{yes}{no}}

>
> /PATH/TO/FILE contains:
> 23.231.32.0/21 # ITECH SERVICES, LLC
> 21.231.0.0/16 # Actually, the whole /16 looks crumby. Maybe list all!
> 23.231.32.36 # Or you can just list single IPs
>
> (everything after the # is comment)
>
> NB: There will come a point when a linear ip search of a file becomes a
> resource hog on every connection. After this, you may with to move to
> an
> indexed database to speed things up again. Or a companion daemon which
> Exim communicates to using udpsend (no replies) or readsocket.
>
> On 15/08/14 14:53, Alex wrote:
>> Actually, its not all that hard (creating ones own dnsbl list - since
>> I
>> run a DNS server I was in a position to implement it), I had a read of
>> RFC5872 (DNSBL).
>>
> [snip]
>> *.231.23.bl.mydomain.com A 127.0.0.2
>> *.231.23.bl.mydomain.com TXT "No Thanks - Tired of the spam from your
>> host/network."
> [snip]
>> On 2014-08-15 13:08, Alex wrote:
>>> Hi Everyone,
>>>
>>> Is there a way to knock back connections from an IP address/subnet at
>>> receipt time (in the same fashion that a connection is rejected if a
>>> match is found in a dnsbl)?
>>>
>>> I am ultimately wanting to refuse mail from a subnet:
>>>
>>> ITECH SERVICES, LLC CUST-NETBLK-PHX-23-231-32-0-21
>>> (NET-23-231-32-0-1)
>>> 23.231.32.0 - 23.231.39.255
> [snip]