[exim] Re: heads-up: some spam bots started RCPT flooding

Top Page
Delete this message
Reply to this message
Author: Alexander Carver
Date:  
To: exim-users
Subject: [exim] Re: heads-up: some spam bots started RCPT flooding
On 2023-05-20 01:20, James via Exim-users wrote:
> On 15/05/2023 10:21, Markus Reschke via Exim-users wrote:
>
> Firstly I thank you for raising this on the mailing list and providing
> help.
>
>> I moved to a simple ACL rule to drop the connection when the
>> first x recipients are rejected:
>>
>> drop  message = Too many bad recipients
>>       condition = ${if and
>> {{>{$rcpt_count}{5}}{=={$recipients_count}{0}}}{yes}{no}}
>
> This works, however if a valid address is given (and everything else
> about it is acceptable) in the first 5 then recipients_count is not zero
> and condition does not trigger  I have seen this attempted hack use
> abuse@ and postmaster@ which according to RFCs must be valid.
>
> I use:
>     condition = ${if and
> {{>{$rcpt_count}{2}}{>{${eval:$rcpt_count-$recipients_count}}{2}}}{yes}{no}}
>
> this allows only 2 bad recipients.
>
> Note I have yet to see this hack use a valid address and not be rejected
> for some other reason so $recipients_count has been zero anyway.
>


Which of the ACLs should this actually be in? I tried (though I may have
made typos) each of check_mail, check_rcpt, and check_data but it didn't
trigger at all.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/