Author: Cyborg Date: To: exim-users Subject: Re: [exim] Hostname and TLD drops
Am 25.08.2018 um 21:27 schrieb scout--- via Exim-users: > Hi, newbi questions please..
>
> I can't figure out how to drop certain hostname connects. I get
> thousands of these types of connects per day:
>
> 2018-08-25 14:16:39.473 [25870] H=69.130.32.95.dsl-dynamic.vsi.ru
> (sex.com) [95.32.130.69]:7481 I=[1.2.3.4]:25 sender verify fail for
> <email-account1@???>: No Such User Here"
> 2018-08-25 14:16:39.473 [25870] H=69.130.32.95.dsl-dynamic.vsi.ru
> (sex.com) [95.32.130.69]:7481 I=[1.2.3.4]:25
> F=<email-account1@???> rejected RCPT
> <email-account1@???>: Sender verify failed
>
> Hostname IP's are always hacked international user computers so
> there's no sense trying throw the IPs in a firewall. The only
> constants is that every single
Take the real IP, put it in a firewall rule, note the time, remove the
block after 24h . Works good.
The actual spammer can't send mails anymore, the original Serverowner
can send mails again later, when he removed his hack.
> connection is for the same non-existing account:
> email-account1@???, and they all have 'sex.com' or
> my-domain-name in the hostname H=. Yes, they currently all fail with
> just two lines of code in the logs, but the volume of connections is
> increasing daily.
>
> I'm looking for something along the lines of:
>
> If hostname equals 'sex.com' or hostname equals 'my-domain-name.net'
> drop connection (don't process or write to the logs)
>
nothing is easier spoofed and changed than that. So, your rule would
only be temporarily effective. SPAMASSASSIN rules should cover it
and they get updated from time to time. I suggest to use spamassassin on
your server.
You can also use SPAMHAUS or NIXSPAM DNS-BLs , both are very effective
against spammers. The false positives are next to zer0.
