On 2023-06-03, Jeremy Harris via Exim-users <exim-users@???> wrote:
> On 03/06/2023 17:48, Julian Bradfield via Exim-users wrote:
>> Having switched on acl debugging at the 70th denied RCPT, what I see
>> in the logs is:
>>
>>
>> check delay = 5s
>> delay modifier requests 5-second delay
>> delay cancelled by peer close
>>
>> As far as I can see, this only makes any sense if the attacker has
>> closed its input stream (exim's output stream) - but then shouldn't
>> exim get an error when it sends the response?
>
> Yes. But you didn't show us that bit.
Because it isn't there.
Here's what's in the main log. (The actual domain is redacted because
it's an address leakage detector which I don't want appearing on the web.)
2023-06-03 17:23:55 SMTP connection from [58.53.131.26] (TCP/IP connection count = 1)
2023-06-03 17:23:56 no host name found for IP address 58.53.131.26
2023-06-03 17:24:06 H=([58.53.131.26]) [58.53.131.26] F=<g4ckp5go0l67ba@???> rejected RCPT <man@???>: no such user
[ repeated 90+ times for various localparts ]
2023-06-03 17:24:06 unexpected disconnection while reading SMTP command from ([58.53.131.26]) [58.53.131.26] D=10s
What happens in the debug log after the last acl check is:
SMTP>> 421 london.jcbradfield.org lost input connection
LOG: lost_incoming_connection MAIN
unexpected disconnection while reading SMTP command from ([58.53.131.26]) [58.53.131.26] D=10s
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
