On Tue, 12 Jan 2016, Richard Doyle wrote:
> From: Richard Doyle <listsub@???>
> To: exim-users@???
> Date: Tue, 12 Jan 2016 16:26:47
> Subject: Re: [exim] exim still accepting email after 550 from acl_check_helo
...
> > (I believe it's not even trying to send mail, but instead is trying
> > a brute force SMTP AUTH attack.)
> This works for me. In acl_smtp_auth:
>
> drop condition = ${if match{$sender_helo_name}{ylmf-pc}{yes}{no}}
It's a long time ago now -- nearly a decade -- but I used to
try and slow down brute force SMTP AUTH attacks by including the
following near the start of acl_smtp_auth:
# Throw in a delay of a few seconds. This will hardly be noticed
# by humanoid-driven clients. But it'll slow down any miscreant
# robot running Rumplestiltskin attacks against us...yes this is
# paranoia on steroids...
warn delay = 2s
The above was obvious included after drop/deny statements for known
unfriendly hosts.
--
Dennis Davis <dennisdavis@???>
