[exim] Auth command used when not advertised

Top Page
This message is part of the following thread:
M++\the complete thread tree sorted by date
MMMM 
MMNigel Metheringham at ->
Delete this message
Reply to this message
Author: Russell King
Date:  
To: exim-users
Subject: [exim] Auth command used when not advertised
Hi,

My mail server is being hit with auth attempts when the helo hasn't
advertised the presence of authentication - for example, this
morning for an hour:

2018-11-25 09:23:58 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (M9AIVXy9WZ) [35.231.157.15]:53324 I=[78.32.30.218]:587 AUTH command used when not advertised
2018-11-25 09:23:58 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (WHFIaBK) [35.231.157.15]:53620 I=[78.32.30.218]:587 AUTH command used when not advertised
2018-11-25 09:23:59 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (7bdz0k) [35.231.157.15]:53712 I=[78.32.30.218]:587 AUTH command used when not advertised
...
2018-11-25 10:14:59 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (RlgrRD) [35.231.157.15]:53098 I=[78.32.30.218]:587 AUTH command used when not advertised

at about a rate of 2 per second. Although that's a fairly low rate,
and doesn't cause a problem, I'd rather have a way to (eg) rate
limit such hosts to stop the log file pollution.

While it's possible to rate limit using exim ACLs, as there is no ACL
for this case, there isn't a way to automatically ratelimit such hosts
except by parsing the log file (granted, it wouldn't actually be
controlling access per se.)

My current technique to deal with such people is to spot them in the
log file, and add a blocking firewall entry when they bother me, which
is sub-optimal as it tends to stay for a very long time, so I'd rather
be able to have some way to rate limit such things to (eg) 1 attempt
per hour or so, which having exim able to "do something" in this case
beyond merely logging the fact would allow.

Maybe this would be a feature request for an ACL that gets run on
failed auth attempts, similar to the smtp notquit ACL?

(Yes, I'm aware that this is a block-cracking attempt, and yes, I'm
already using elements of Lena's implementation - but that doesn't
cover this situation.)

Thanks.

--
Russell King

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Help extracting From-AddressRe: [exim] Help extracting From-Address->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)