[exim] tons of brute force cracking events

Top Page
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: [exim] tons of brute force cracking events
Hi Guys,

out of the blue, one particular exchange server generates tons of those
messages:

2018-06-07 12:26:17 H=(XXX) [XXX] X=TLSv1.2:DHE-RSA-AES128-SHA:128 CV=no
rejected AUTH LOGIN: blacklisted for bruteforce cracking attempt

generated by this ACL :

acl_check_auth:

  drop  message = blacklisted for bruteforce cracking attempt
        set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
        condition = ${if >{$acl_c_authnomail}{4}}


After we restart exim, those messages stop.

We are not 100% sure, that we stop it due to restarting, or that the
customer does something similar to his exchange server, and just does
not tell us.

And here comes the million $ question: has anyone seens this behavior
with "Exim version 4.90_1 #2" and other exchange servers before, and
knows who is to blame for it.

A short timeline :

16th of May  : tons of those messages
6th of June    : tons of those messages

Days between : not one error with the same exchange server and they send
hundreds of mails each day.

of course, we have the same message for other hosts, but those are
spammers trying to hack an account, but that's 1 line a day at best ;)


If you can spread some light on the topic, let me know.

best regards,
Marius