https://bugs.exim.org/show_bug.cgi?id=2188
Bug ID: 2188
Summary: Moving recipient check last to mitigate brute-force
address scan
Product: Exim
Version: N/A
Hardware: x86
OS: Linux
Status: NEW
Severity: security
Priority: medium
Component: ACLs
Assignee: jgh146exb@???
Reporter: development@???
CC: exim-dev@???
Created attachment 1047
-->
https://bugs.exim.org/attachment.cgi?id=1047&action=edit
patch to move recipient check down
This recently came up in Exim logs:
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attacker@???>
rejected RCPT <test1@???>: Unrouteable address
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attacker@???>
rejected RCPT <test2@???>: Unrouteable address
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attacker@???>
rejected RCPT <test3@???>: Unrouteable address
....
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attacker@???>
rejected RCPT <validaddress@???>: SPF check failed.
An attacker successfully found a valid local address using brute-force scan.
This was only possible because recipient verification happens early (in this
case before SPF check).
In order to mitigate this kind of attack, we moved recipient verification down
so that it happens after all other checks that could potentially cause a deny.
I think the Exim default config could be improved likewise, by moving sender
verification down after DNSBL checks.
--
You are receiving this mail because:
You are on the CC list for the bug.
