[exim] Tackling Bot Blasts

Góra strony
Delete this message
Reply to this message
Autor: Pete Long
Data:  
Dla: exim-users
Temat: [exim] Tackling Bot Blasts
Hi all,

As I’m sure many of you have witnessed, there appears to be something of a concerted effort recently amongst bot-herders to test (completely free of charge) our Internet connections and servers by smashing them with hundreds of delivery attempts per second. Per second.

I cannot recall ever seeing such sustained and incredibly fast network abuse, although I’m probably in the minority.

After trying several ACLs and even inviting IPTables to the party at one stage, I still seemed powerless to prevent mainlog filling up with an inordinate amount of crap; that is until this morning.

Thanks to Jeremy Harris for recommending (to another poster) use of the DROP verb instead of DENY for a certain ACL use case. Sheepishly I changed the DENY verb to DROP and hey presto, way less noise in mainlog and far less chance of a successful delivery. I’d completely forgotten about DROP, for some strange reason only considering DISCARD as an alternative to DENY.


acl_check_rcpt:

drop
message = No host name found.
condition = ${if eq{$host_lookup_failed} {1} {1}{0}}


drop message = Too many bad recipients.
condition = ${if and {{>{$rcpt_count}{2}}{>{${eval:$rcpt_count-$recipients_count}}{2}}}{yes}{no}}


I believe the latter ACL was originally shown on this mailing list but together, these puppies work wonders for my requirements.

For now :)

Thanks again.


Pete.




--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/