Re: [exim] Spam though my server

Top Page
Delete this message
Reply to this message
Author: Niels Dettenbach
Date:  
To: exim-users, Sebastian Nielsen
CC: 'Odhiambo Washington'
Subject: Re: [exim] Spam though my server
Am Dienstag, 19. Februar 2019, 15:57:07 CET schrieb Sebastian Nielsen via
Exim-users:
> Most better firewalls do have an built-in country/GeoIP database, if not,
> you can easily add one.

GeoIP is far from "reliable" for any SMTP/MTA, as there is no geolocation of
a IP address. It offers only a "probably in this country" info in context of a
IP address (user). This means the amount of false positives in practice is
significant, except if users came from "known" AS networks or RIR assignmenets
/ route info. So this may (!) help/work in small and/or very defined network
topologies.

I know the situation in germany is a bit different, as the internet topology /
"market" is very "centralized" here, but even in germany many less kown IP
access products / services available get "geo-resolved" over other (usually
western) countries / regions by GeoIP (even the commercial version).

I know from many african and asian Mail Providers who use "US", "european" or
"canadian" IPs for their service to get around "problems" with such Geo-
blocking solutions.

Proper geolocation of IPs is a "science by itself", but still far from
reliable. Many brute force attack attempts against our exim systems
(germany+luxembourg) are currently coming from france and germany today.

For smaller systems, solutions like fail2ban could help "far":
https://www.fail2ban.org/wiki/index.php/Exim

But even here: Be aware of possible "bad cases" where i.e. larger NAT
networks "use" the service and "sloppy" user clients generate false
positives.

Beside Exim functionality (see Exim DOS prevention - incl. resource "reserve"
subsystem) firewall rules to slow out "to much" of new initiated sessions
within a time window could help. But brute force attackes are normal / usual
on larger SMTP services today - important is to make it difficult to prevent
any success of such attackes (even distributed ones) and "DOS effects" of them
and similiar attackes.


good luck,


niels.


--
---
Niels Dettenbach
Syndicat IT & Internet
http://www.syndicat.com
PGP: https://syndicat.com/pub_key.asc
---