Autor: Jeremy Harris Data: A: exim-users Assumpte: Re: [exim] protecting privileged users from SMTP-AUTH attacks
On 02/12/2019 10:23, Cyborg via Exim-users wrote: > That an ip is trying to abuse the auth mechanics and producing a lot of
> "protocol synchronization error" messages,
> as normal clients won't do.
You say "an IP" but you also said "botnet". If the botnet is
only using IP's once, you won't do anything useful by tracking
IPs. Analyse your logs to see whether or not such
an approach would be useful.
Perhaps you could start from the other end: track your customer's
(well, at least sources that pass authentication) IPs -
and impose a delay on others. Ways to do that:
- check the "authenticated" status in any ACL from mail onward,
if yes then note the IP in your favourite DB. A ratelimit DB would do
fine.
- check the IP in the DB in an AUTH ACL and delay if not found.
[IANAL, but beware GPDR concerns with such a DB. It should be
protected in the same way as logs]
--
Cheers,
Jeremy