[exim] Re: smtp_accept_max & DDoS

> To: exim-users @ lists.exim.org

~ $ dig lists.exim.org mx
;; QUESTION SECTION:
;lists.exim.org.                        IN      MX

;; ANSWER SECTION:
lists.exim.org.         294     IN      CNAME   cumin.exim.org.
cumin.exim.org.         300     IN      MX      10 cumin.exim.org.

In my home computer (with FreeBSD) by default the MSA is sendmail, I suppose
it "canonicalizes" the hostname before submission to my MTA on my VPS (Exim).

2023-05-12 00:24:49 +0300
H=cumin.exim.org [37.120.190.30]
SMTP error from remote mail server after RCPT TO:<exim-users @ cumin.exim.org>: 550 unknown user

In my home computer I had to add to /usr/local/etc/unbound/unbound.conf :

local-data: "lists.exim.org MX 10 cumin.exim.org"

> From: Slavko <linux@???>

> The problem is in exim. It gets (logs) "authenticator failed ..." line,
> that line contains "535 Incorrect authentication data ..." too. Then
> it responds that (i guess) to client, which never responds. The
> connection is then hold open, until timeout happens (in my case
> i lowered it to 60 sec). As attackers does that login attempts in
> waves 10-15 IPs in short time, here are multiple connections
> openned until timeout happens.

How do you know that connection is held open and timeout happens?
I seldom see that in my logs.
During last 30 days I see (logged in notquit ACL)
3867 connection-lost and 63 command-timeout events
after authentication failed.
In my config:

smtp_max_synprot_errors = 0
WARNTO = Lena@???
SHELL = /bin/sh
ADDRNAME = $sender_host_address $acl_c_country ${sg{${lookup dnsdb{>, defer_never,ptr=$sender_host_address}}}{\N[^\w.,-]\N}{}}
chunking_advertise_hosts =
slow_lookup_log = 1500
auth_advertise_hosts = ${if eq{$sender_helo_name}{ylmf-pc}{}{*}}
log_timezone
smtp_accept_max = 15
smtp_accept_max_nonmail = 9
log_selector = +smtp_confirmation +queue_time +queue_time_overall \
           +deliver_time +receive_time -retry_defer \
           +smtp_incomplete_transaction +smtp_no_mail +incoming_interface
acl_smtp_connect = acl_check_connect
acl_smtp_helo = acl_check_helo
acl_smtp_auth = acl_check_auth
acl_smtp_mail = acl_check_mail
acl_smtp_quit = acl_check_quit
acl_smtp_notquit = acl_check_notquit
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 2s
HELODETAINTED = ${sg{$sender_helo_name}{\N[^\w.,-]\N}{}}
# these two masks are used only in case of IPv6:
# how many IPv6 addresses you give to your single user:
MASKL = ${if match{$sender_host_address}{:}{/64}}
# how many external IPv6 addresses you treat as one attacker:
MASKW = ${if match{$sender_host_address}{:}{/56}}
...
begin acl
...
acl_check_connect:
  drop    message = $sender_host_address locally blacklisted for a bruteforce \
          auth (login+password) cracking attempt
    condition = ${if exists{$spool_directory/blocked_IPs}}
    condition = ${lookup{$sender_host_address}iplsearch\
                    {/var/..$spool_directory/blocked_IPs}{1}{0}}
  drop    message = stretchoid and similar scanners banned
        condition = ${if match\
        {${lookup dnsdb{defer_never,ptr=$sender_host_address}}}\
        {\N\.(stretchoid.com|shodan.io|internet-research-project.net|binaryedge.ninja|tchelebi.io|alphastrike.io|airtelbroadband.in|proxy-research.com)$\N}}

accept

acl_check_helo:
...
  drop    message = suspicious client with helo=$sender_helo_name \
          locally blacklisted
    condition = ${if eq{$sender_helo_name}{ylmf-pc}}
        acl = setdnslisttext
    condition = ${if match{$acl_c_country}{(?i)br|cn|vn}}
    continue = ${run{SHELL -c 'echo \\\"$sender_host_addressMASKW\\\" \
       >>$spool_directory/blocked_IPs'}}

  drop    message = suspicious client with helo=$sender_helo_name \
          locally blacklisted
    condition = ${if match{$sender_helo_name}\
              {\N^(ganymede|ylmf-pc|\*\.\*|\[192\.168\.2\.33\])$\N}}
        acl = setdnslisttext
    continue = ${run{SHELL -c 'echo \\\"$sender_host_addressMASKW\\\" \
       >>$spool_directory/blocked_IPs; \
       \N{\N echo Subject: HELODETAINTED. blocked ADDRNAME; \
           echo; echo for bruteforce auth cracking attempt.; \
       \N}\N | $exim_path -f root WARNTO'}}

accept

acl_check_auth:
  drop    message = authentication is allowed only once per message in order \
          to slow down bruteforce cracking
    set acl_m_auth = ${eval10:0$acl_m_auth+1}
    condition = ${if >{$acl_m_auth}{2}}
    delay = 22s

  drop    message = blacklisted for bruteforce cracking attempt
    set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
    condition = ${if >{$acl_c_authnomail}{4}}
    condition = ${if exists{$spool_directory/blocked_IPs}\
             {${lookup{$sender_host_address}iplsearch\
                           {$spool_directory/blocked_IPs}{0}{1}}}\
                         {1}}
        acl = setdnslisttext
    continue = ${run{SHELL -c 'echo \\\"$sender_host_addressMASKW\\\" \
       >>$spool_directory/blocked_IPs; \
       \N{\N echo Subject: blocked ADDRNAME; echo; echo \
       for bruteforce auth cracking attempt.; \
       \N}\N | $exim_path -f root WARNTO'}}

  drop  message = blacklisted for bruteforce cracking attempt
        condition = ${if >{$acl_c_authnomail}{4}}

  accept set acl_c_authhash = ${if match{$smtp_command_argument}\
          {\N(?i)^(?:plain|login) (.+)$\N}{${nhash_1000:$1}}}

acl_check_mail:
  deny    message = 503 Bad sequence of commands - must send HELO/EHLO first
    condition = ${if !def:sender_helo_name}

accept set acl_c_authnomail = 0

setdnslisttext:
  accept dnslists = all.ascc.dnsbl.bit.nl
     set acl_c_country = ${if match{$dnslist_text}{ CC=(\\S+) }{$1}}

accept

acl_check_quit:
  accept condition = $authentication_failed
    logwrite = :reject: quit after authentication failed: \
                ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
        acl = setdnslisttext
    condition = ${if match{$acl_c_country}{(?i)br|cn|vn}}
    continue = ${run{SHELL -c 'echo \\\"$sender_host_addressMASKW\\\" \
       >>$spool_directory/blocked_IPs'}}

  warn    condition = $authentication_failed
        dnslists = auth.spamrats.com
        # http://spamrats.com/rats-auth.php , http://spamrats.com/about.php
    condition = ${if exists{$spool_directory/blocked_IPs}\
             {${lookup{$sender_host_address}iplsearch\
                           {$spool_directory/blocked_IPs}{0}{1}}}\
                         {1}}
        acl = setdnslisttext
    continue = ${run{SHELL -c 'echo \\\"$sender_host_addressMASKW\\\" \
       >>$spool_directory/blocked_IPs; \
       \N{\N echo Subject: spamrats. blocked ADDRNAME; \
       echo; echo for auth cracking attempt.; \
       \N}\N | $exim_path -f root WARNTO'}}

  warn    condition = $authentication_failed
        condition = ${if match{$sender_helo_name}\
            {\N^(User|xray500|FlapJack|gerg|smtp.lena.kiev.ua)$\N}}
    condition = ${if exists{$spool_directory/blocked_IPs}\
             {${lookup{$sender_host_address}iplsearch\
                           {$spool_directory/blocked_IPs}{0}{1}}}\
                         {1}}
        acl = setdnslisttext
    continue = ${run{SHELL -c 'echo \\\"$sender_host_addressMASKW\\\" \
       >>$spool_directory/blocked_IPs; \
       \N{\N echo Subject: HELODETAINTED. blocked ADDRNAME; \
       echo; echo for auth cracking attempt.; \
       \N}\N | $exim_path -f root WARNTO'}}

  warn  condition = $authentication_failed
        condition = ${if def:acl_c_authhash}
        ratelimit = 0 / 5m / strict / $sender_host_address-$acl_c_authhash
        set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}}

  warn    condition = $authentication_failed
        condition = ${if or{\
                            {!def:acl_c_authhash}\
                            {<{$acl_c_hashrate}{2}}\
                           }}
    ratelimit = 7 / 5m / strict / per_conn
    condition = ${if exists{$spool_directory/blocked_IPs}\
             {${lookup{$sender_host_address}iplsearch\
                           {$spool_directory/blocked_IPs}{0}{1}}}\
                         {1}}
        acl = setdnslisttext
    continue = ${run{SHELL -c 'echo \\\"$sender_host_addressMASKW\\\" \
       >>$spool_directory/blocked_IPs; \
       \N{\N echo Subject: blocked ADDRNAME; echo; echo \
       for bruteforce auth cracking attempt.; \
       \N}\N | $exim_path -f root WARNTO'}}

acl_check_notquit:
  accept condition = $authentication_failed
    logwrite = :reject: $smtp_notquit_reason after authentication failed: \
                ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
        acl = setdnslisttext
    condition = ${if match{$acl_c_country}{(?i)br|cn|vn}}
    continue = ${run{SHELL -c 'echo \\\"$sender_host_addressMASKW\\\" \
       >>$spool_directory/blocked_IPs'}}

  warn    condition = $authentication_failed
        dnslists = auth.spamrats.com
        # http://spamrats.com/rats-auth.php , http://spamrats.com/about.php
    condition = ${if exists{$spool_directory/blocked_IPs}\
             {${lookup{$sender_host_address}iplsearch\
                           {$spool_directory/blocked_IPs}{0}{1}}}\
                         {1}}
        acl = setdnslisttext
    continue = ${run{SHELL -c 'echo \\\"$sender_host_addressMASKW\\\" \
       >>$spool_directory/blocked_IPs; \
       \N{\N echo Subject: spamrats. blocked ADDRNAME; \
       echo; echo for auth cracking attempt.; \
       \N}\N | $exim_path -f root WARNTO'}}

  warn    condition = $authentication_failed
    condition = ${if match{$smtp_notquit_reason}\
                  {^(connection-lost|synchronization-error)}}
        condition = ${if match{$sender_helo_name}\
        {\N^(User|xray500|FlapJack|gerg|SERVER-KP1|((mail|smtp)\.)?(lena\.kiev|(ksana|sergej)\.org)\.ua)$\N}}
    !hosts = @[]
    condition = ${if exists{$spool_directory/blocked_IPs}\
             {${lookup{$sender_host_address}iplsearch\
                           {$spool_directory/blocked_IPs}{0}{1}}}\
                         {1}}
        acl = setdnslisttext
    continue = ${run{SHELL -c 'echo \\\"$sender_host_addressMASKW\\\" \
       >>$spool_directory/blocked_IPs; \
       \N{\N echo Subject: HELODETAINTED. blocked ADDRNAME; \
       echo; echo for auth cracking attempt.; \
       \N}\N | $exim_path -f root WARNTO'}}

  warn  condition = $authentication_failed
        condition = ${if def:acl_c_authhash}
        ratelimit = 0 / 2h / strict / $sender_host_address-$acl_c_authhash
        set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}}

  warn    condition = $authentication_failed
        condition = ${if match{$smtp_notquit_reason}\
                              {^(connection-lost|synchronization-error)}}
        condition = ${if or{\
                            {!def:acl_c_authhash}\
                            {<{$acl_c_hashrate}{2}}\
                           }}
    ratelimit = 7 / 2h / strict / per_conn
    condition = ${if exists{$spool_directory/blocked_IPs}\
             {${lookup{$sender_host_address}iplsearch\
                           {$spool_directory/blocked_IPs}{0}{1}}}\
                         {1}}
        acl = setdnslisttext
    continue = ${run{SHELL -c 'echo \\\"$sender_host_addressMASKW\\\" \
       >>$spool_directory/blocked_IPs; \
       \N{\N echo Subject: blocked ADDRNAME; echo; echo \
       for bruteforce auth cracking attempt.; \
       \N}\N | $exim_path -f root WARNTO'}}

hash:
accept set acl_c_authhash = ${nhash_1000:$acl_arg1}

...
begin authenticators

plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = ${if pam{$auth2:${sg{$auth3}{:}{::}}}}${acl{hash}{$auth2,$auth3}}
client_send = ^${extract{user}{$address_data}{$value}fail}^${extract{pass}{$address_data}{$value}fail}
server_set_id = $2

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if pam{$auth1:${sg{$auth2}{:}{::}}}}${acl{hash}{$auth1,$auth2}}
server_set_id = $1


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/