On 2023-06-01, Julian Bradfield via Exim-users <exim-users@???> wrote:
> In response to the recent RCPT-flooding attacks, I changed my
> acl_check_rcpt verification check to say:
> deny
> domains = +local_domains
> !local_parts = postmaster
> !verify = recipient
> message = Unknown user
> delay = 5s
> However, in the exim log file I'm still seeing 99 denied RCPT commands
> all with the same timestamp.
Having switched on acl debugging at the 70th denied RCPT, what I see
in the logs is:
check delay = 5s
delay modifier requests 5-second delay
delay cancelled by peer close
As far as I can see, this only makes any sense if the attacker has
closed its input stream (exim's output stream) - but then shouldn't
exim get an error when it sends the response? And why would the
attacker close its input stream so it can't see the response? The
attack is not heavy enough to be an effective DoS attack, at least not
for me.
(This is exim-4.94 from Debian 11).
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/