Please learn how to write your responses. Either top-post, or post below,
by snipping.
Even without doing anything, my server has been rejecting these IPs because
they are listed on spamhaus.
On Thu, Dec 8, 2022 at 11:58 PM The Doctor <doctor@???> wrote:
> On Thu, Dec 08, 2022 at 11:44:44PM +0300, Odhiambo Washington via
> Exim-users wrote:
> > On Thu, Dec 8, 2022 at 11:38 PM The Doctor via Exim-users <
> > exim-users@???> wrote:
> >
> > > On Thu, Dec 08, 2022 at 10:47:18PM +0300, Evgeniy Berdnikov via
> Exim-users
> > > wrote:
> > > > On Thu, Dec 08, 2022 at 12:22:13PM -0700, The Doctor via Exim-users
> > > wrote:
> > > > > On Thu, Dec 08, 2022 at 09:24:19PM +0300, Odhiambo Washington via
> > > Exim-users wrote:
> > > > [...]
> > > > > > >>> host in "5.34.207.0/24"? yes (matched "5.34.207.0/24")
> > > > > > >>> host in host_reject_connection? yes (matched "+host_rejects")
> > > > > > LOG: refused connection from [5.34.207.3]
> (host_reject_connection)
> > > > > > 554 SMTP service not available
> > > > > > root@gw:/usr/home/wash #
> > > > >
> > > > > Still seeing
> > > > >
> > > > > netstat -a | egrep smtp
> > > > > tcp4 0 0 exploreedmonton..smtps 5.34.207.189.26526
> > > SYN_RCVD
> > > > > tcp4 0 0 comparealbertapo.smtps 5.34.207.190.30872
> > > FIN_WAIT_2
> > > > > tcp4 0 0 204.209.81.148.smtps 5.34.207.114.57546
> > > FIN_WAIT_2
> > > >
> > > > Rejection with status code 554 requires established TCP connection.
> > > > Study mainlog to check whether connections are rejected.
> > > >
> > > > However, absense of numerous connections in ESTABLISHED state is a
> hint
> > > > that rejection works.
> > > >
> > > > If you don't want TCP connections, use packet filtering on kernel
> level
> > > > instead of Exim's configuration options.
> > >
> > > I am surprised that my firewall ACL is not getting this
> > > in a switch!
> >
> >
> > I shared config snippets that work.
> > If you wanted to deal with this at the firewall level, you did not need
> > Exim to do it!
> >
>
> As I said, the firewall wer not dropping the packets hence the
> need to use exim ACL.
>
> By the way,
>
> This looks like a very interesting attack!
>
> Have a look at https://www.nk.ca/~doctor/5.34.207.txt
>
> but be careful!
>
> This file is 113960735 bytes.
>
> > --
> > Best regards,
> > Odhiambo WASHINGTON,
> > Nairobi,KE
> > +254 7 3200 0004/+254 7 2274 3223
> > "Oh, the cruft.", egrep -v '^$|^.*#' ??\_(???)_/?? :-)
> > --
> > ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/
> > ## Please use the Wiki with this list - http://wiki.exim.org/
>
> --
> Member - Liberal International This is doctor@??? Ici doctor@???
> Yahweh, King & country!Never Satan President Republic!Beware AntiChrist
> rising!
> Look at Psalms 14 and 53 on Atheism
> https://www.empire.kred/ROOTNK?t=94a1f39b
> Happy Christmas 2022 and Merry New Year 2023 Beware
> https://mindspring.com
>
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
