Autor: Paul Muster Data: A: exim-users Assumpte: Re: [exim] Feature Request: react on HTTP
Am 06.05.2021 um 11:43 schrieb Cyborg via Exim-users:
> Everyone of us sees this in their logsfiles :
>
> 2021-05-06 11:07:57 no host name found for IP address 68.183.80.168
> 2021-05-06 11:07:58 no host name found for IP address 68.183.80.168
> 2021-05-06 11:07:58 SMTP call from [68.183.80.168] dropped: too many
> unrecognized commands (last was "Accept-Encoding: gzip, deflate")
> 2021-05-06 11:07:59 no host name found for IP address 68.183.80.168
> 2021-05-06 11:07:59 SMTP call from [68.183.80.168] dropped: too many
> unrecognized commands (last was "Accept-Encoding: gzip, deflate")
> 2021-05-06 11:08:00 no host name found for IP address 68.183.80.168
> 2021-05-06 11:08:00 SMTP call from [68.183.80.168] dropped: too many
> unrecognized commands (last was "Accept-Encoding: gzip, deflate")
> 2021-05-06 11:08:01 no host name found for IP address 68.183.80.168
> 2021-05-06 11:08:01 SMTP call from [68.183.80.168] dropped: too many
> unrecognized commands (last was "Accept-Encoding: gzip, deflate")
>
> these are clients, that send "GET /..whatever HTTP/1.0" as greeting.
>
> I suggest:
>
> not to wait for the usual error treshhold of smtp related errors, but
> instead auto disconnect and block the IP for a few minutes , because, as
> seen, they come back as often as you let them.
Use fail2ban to detect these attempts in Exim's logfiles and ban the
source on IP basis.