[exim] auth cracking

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Subject: [exim] auth cracking
For those who use my config code to block brute force auth cracking:
Some cracker bots use concurrent connections
(up to smtp_accept_max_per_host, default 20 connections),
that could cause a batch of multiple email notifications about
the same IP-address blocked. I tried to prevent redunant notifications,
but iplsearch lookup result was cached, so the prevention didn't work.
I rewrote prevention condition using a named list containing $
which disables caching results of the lookup using such named list: 

hostlist blocked_ips = $spool_directory/blocked_IPs
...
        condition = ${if exists{$spool_directory/blocked_IPs}\
                         {${if match_ip{$sender_host_address}{+blocked_ips}\
                               {0}{1}}}\
                         {1}}


At last a cracker bot tested my code. :)
I updated the wiki: https://github.com/Exim/exim/wiki/BlockCracking

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] logging question - regex[exim] End of the DNS MX record ?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)