[exim] Re: Excessive "bad recipient" messages in syslog

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Richard Doyle
Data:  
Para: exim-users
Assunto: [exim] Re: Excessive "bad recipient" messages in syslog
This IP (168.121.195.104) is currently listed in the XBL, CSS and PBL at
Spamhaus


On 5/31/23 07:22, Jarland Donnell via Exim-users wrote:
>
>
> I've been following this particular botnet pretty closely. It's an
> incredible one. If anyone is interested, I have a list of IPs of this
> botnet that increase daily:
> https://github.com/mxroute/da_server_updates/blob/master/sec/botnet.list
>
> It's been a good while since I've seen a botnet this persistent and slow
> to reveal itself. Usually one of this size blows it's wad all in one go
> and you can list out every currently infected PC/IP in a day or so. This
> one seems to either be taking it's time, or is adding new systems to
> it's list at a very solid pace.
>
> On 2023-05-28 16:09, Jim Fenton via Exim-users wrote:
>
>> It seems like some of the spammers have changed tactics and are now
>> sending messages with 98 or so bad RCPT addresses, which (happily)
>> Exim detects. But now I'm getting a flood of messages in syslog, such as:
>>
>> 2023-05-28 00:24:39 REJECT [168.121.195.104]: bad recipient count high
>> [9]
>> 2023-05-28 00:24:39 H=([168.121.195.104]) [168.121.195.104]
>> F=<70g3gpds9l3n8@???>
>> rejected RCPT <comercial@???>: Rejected for too many bad
>> recipients
>>
>> …many lines deleted…
>>
>> 2023-05-28 00:24:39 REJECT [168.121.195.104]: bad recipient count high
>> [98]
>> 2023-05-28 00:24:39 H=([168.121.195.104]) [168.121.195.104]
>> F=<70g3gpds9l3n8@???> rejected RCPT <admin@???>:
>> Rejected for too many bad recipients
>>
>> I can easily change the configuration to make this happen silently,
>> but I would like some visibility that this is happening, for example,
>> in my daily logwatch output. Has anyone devised a way to cut down on
>> the number of messages without eliminating them entirely?
>>
>> -Jim
>



--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/