On 2022-07-15, Slavko via Exim-users <exim-users@???> wrote:
> To OP: I will do not suggest to use as aggressive bans at all, as a lot
> of hosts try only once and then go away, thus banning them is only
> resource wasting...
Not my experience. A large number of hosts try every hour or two -
presumably they're part of a distributed net working its way through
possible credentials. (Why they think any of these addresses might
exist, I do not know - most of them don't.)
By implementing a 10-day ban for any auth failure, the number of
attempts per day drops by a factor of 5 to 8.
> You can use AUTH attempts counting in AUTH ACL and the do something with
> this value, eg. (i do not drop by this way, thus only idea):
>
> warn set acl_c_authcnt = ${eval10:$acl_c_authcnt+1}
>
> drop condition = ${if >{$acl_c_authcnt}{1}}
> condition = $authentication_failed
> logwrite = H=$sender_fullhost LAST FAILed: \
> $authenticated_fail_id
That only works on multiple AUTHs in the same session, doesn't it?
> I recently discovered (OK, i ugpraded it) fail2bans bantime auto
> incerement, whis i see as very useful for banning these toxics and to
> deal with false positives relative acceptable with short initial
> bantime:
Interesting, thanks. I don't know whether that's on my system (I
cannot be bothered with custom installations these days), but I'll
check.
