[exim] auth cracking

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Lena
Datum:  
To: exim-users
Betreff: [exim] auth cracking
For those who use my config code to block brute force auth cracking:
Some cracker bots use concurrent connections
(up to smtp_accept_max_per_host, default 20 connections),
that could cause a batch of multiple email notifications about
the same IP-address blocked. I tried to prevent redunant notifications,
but iplsearch lookup result was cached, so the prevention didn't work.
I rewrote prevention condition using a named list containing $
which disables caching results of the lookup using such named list:

hostlist blocked_ips = $spool_directory/blocked_IPs
...
        condition = ${if exists{$spool_directory/blocked_IPs}\
                         {${if match_ip{$sender_host_address}{+blocked_ips}\
                               {0}{1}}}\
                         {1}}


At last a cracker bot tested my code. :)
I updated the wiki: https://github.com/Exim/exim/wiki/BlockCracking