Re: [exim] Count only rejected connections

Top Page
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Subject: Re: [exim] Count only rejected connections
> From: Sebastian Arcus

> drop   message      = Invalid HELO/EHLO
>         condition    = ${if eq{$received_port}{25}}
>         condition    = ${if match{$sender_helo_name}{.+\\\..+\\\..+} \
>                            {no}{yes}}


Some legitimate senders can have hostname and HELO with one dot
like example.com

I block EHLO ylmf-pc (a signature of Cutwail/Pushdo bot) at first sight:

WARNTO = abuse@???
# change this to your email address
SHELL = /bin/sh
IPNOTIF = echo Subject: blocked $sender_host_address $dnslist_text \
  ${sg{${lookup dnsdb{>, defer_never,ptr=$sender_host_address}}}{\N[^\w.,-]\N}{}}; \
  echo; echo for bruteforce auth cracking attempt.;
begin acl
acl_check_helo:
  drop  message = Cutwail/PushDo bot blacklisted
        condition = ${if eq{$sender_helo_name}{ylmf-pc}}
        acl = setdnslisttext
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N IPNOTIF \N}\N | $exim_path -f root WARNTO"}}
        # if this bot is dropped at helo, it repeats multiple times,
        # but if dropped at connect, it tries only twice


accept

setdnslisttext:
accept dnslists = zz.countries.nerd.dk

accept

acl_check_connect:
  drop  message = $sender_host_address locally blacklisted for a bruteforce \
                  auth (username+password) cracking attempt
        condition = ${if exists{$spool_directory/blocked_IPs}}
        condition = ${lookup{$sender_host_address}iplsearch\
                     {/var/..$spool_directory/blocked_IPs}{1}{0}}
        # Another path to the same file in order to circumvent lookup caching.


accept