Hello all,
MY exim server does not support ANY net-facing logins at all, and AUTH
is not advertised. Yet, I am getting increasing numbers of AUTH
attempts. I am looking for the best way to block IPs that attempt (have
attempted) AUTH.
I am not concerned about site penetration because Exim automatically
rejects all the AUTH attempts with "503 AUTH command used when not
advertised". However, there are clients (almost all with Chinese IPs)
that are generating AUTH attempts at a rate exceeding 10 per second, in
blasts of several minutes. This, despite sending EHLO, to which my
server responds with a very short list:
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
(Some guys just can't accept no!)
The result of all these useless attempts is log pollution and wasted
resources at best, and perhaps something akin to DOS if it keeps
increasing. (It started out a with an attempt by a random IP every 5
minutes, but lately seems to worsen daily.)
I suppose I could eliminate almost all of this by simply refusing
connection to any Chinese IP based on a filter file. I copied a CIDR
list in iplsearch acceptable format from a web site, but it contains
4226 entries! (
http://www.okean.com/chinacidr.txt)
However, this filter would probably be a worse resource drain than the
current dropped connections. (Not sure how efficient exim's search of
such a filter is)
My main idea now is to refuse connection using a much smaller
self-maintained filter file that contains a list of IPs of "known bad
actors". Where I am stymied on that is knowing how to add entries to the
filter file inside exim, at the time AUTH is attempted (or perhaps other
objectionable activity). I presume a custom logging file would not work
because it would always be open while exim is running, so could not be
opened for filtering.
Any help appreciated (including better ideas).
Phil Carroll
