Re: [exim] exim block auth (geoip)

Top Page
Delete this message
Reply to this message
Author: Jasen Betts
Date:  
To: exim-users
Subject: Re: [exim] exim block auth (geoip)
On 2018-10-03, Emanuel Gonzalez via Exim-users <exim-users@???> wrote:
> Hello,
>
> lately we are suffering from dictionary attacks, as a prevention method I use "fail2ban", but in some cases users use passwords that are easy to guess and are used to send spam through bots.
>
> Examples:
>
> Subject: Remittance Advice
>
> Subject: Remittance Advice
>
> Subject: Rambert Nicolas SRS Invoice is ready
>
> These bots are connected from countries such as Japan, China, etc.
>
> 41.169.76.242 ZA, South Africa
> 41.212.221.171 MU, Mauritius
> 102.164.219.218 ZA, South Africa
> 105.227.189.244 ZA, South Africa
> 112.134.249.221 LK, Sri Lanka
> 202.166.171.50 PK, Pakistan
> 211.203.71.253 KR, Korea, Republic of
> 212.12.14.33 RU, Russian Federation
>
> Through exim created rules to block certain subjects but it constantly changes.
>
> My question is, is there any module to block smtp authentication from certain countries?, or some idea of ​​how to work with this problem.


If you pnly offer auth on ports other than 25 you could use firewall
rules to block those ports.

there's also geolocation via DNS RBL services that could be applied.
(check valli.org for a fairly exhaustive RBL list)

not of this actually works 100% because IANA allocates addresses
based on where the AS (controlling organisation) is headquartered
not on physical location of the hardware.

-- 
     ت