Re: [exim] Closing off Port to non-SSL traffic

Góra strony
Delete this message
Reply to this message
Autor: Kirill Miazine
Data:  
Dla: exim-users
Temat: Re: [exim] Closing off Port to non-SSL traffic
• Slavko via Exim-users [2022-06-24 13:24]:
> Dňa 24. júna 2022 9:14:41 UTC používateľ Kirill Miazine via Exim-users <exim-users@???> napísal:
>
> >I've found AuthBL from Spamhaus and Abusix to be very useful.
>
> AFAIK Spamhaus's AuthBL is about hosts, which uses stolen credentials
> (to send SPAM), not those attacking AUTH. While i use it in rsdpamd and MX,
> only very small part of mentioned IPs is/was on it... I even stop to use its
> XBL for AUTH due too many false positives, mostly due end user's IP change
> (e.g. Deutche mobile users). It tooks about 2 days to XBL's time out on
> Spamhaus side and this repeats after next IP change...
>
> BTW Spamhaus itself suggests to not use XBL for end users filtering and
> AurhBL is XBL subset...


According to docs, AuthBL is both:
"AuthBL is basically that: a collection of bots known to use stolen
credentials or authentication bruteforce."

https://docs.spamhaus.com/datasets/docs/source/10-data-type-documentation/datasets/030-datasets.html#authbl

I wouldn't use XBL for blocking users (as XBL has lots of stuff in
there), but there have never been any issues with AuthBL. Having said
that, my system has a single digit number of users.

Abusix is catching more, but there are lots of bruteforcers who aren't
on either list. From today's maillog:

# grep AuthBL maillog |wc -l
      62
 grep Abusix maillog |wc -l
     144
# grep 'login authenticator failed for ' maillog |wc -l
    1072


-- Kirill