I was looking more for a real time solution, either by and exim system filter, or by a log watcher program (ie, the logtail package).
I'll clarify my questions a bit more. Is the exim filter language capable of such a task? From what I have seen so far, no, but my eXPerience with that is limited. (ie, am I wasting my time try to do it with a system filter). Or should I use a script being run every 5 minutes, in conjunction with a program like logtail. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix ----- Original Message ----- From: "Nathan Ridge" <[EMAIL PROTECTED]> To: "Andrew Tait" <[EMAIL PROTECTED]> Sent: Monday, March 04, 2002 2:37 PM Subject: Re: Spammers hammering our mail servers > Luckily we have not been hit that hard yet, but I can't see it being > that hard to write a script, even something simple that runs once per > hour off cron that gets the ip addresses out of rejectlog > > now im no code junky , even something simple like: > > cat rejectlog |awk -F[ {'print $2'} |awk -F] {'print $1'} >> > /home/blah/rejectips.txt > > cat /home/blah/rejectips.txt |while read IP > do > NUM=`cat /home/blah/rejectips.txt |grep $IP |wc -l` > if [ "$NUM" -gt "3" ] > then > ipchains REJECT blah tcp 25 > fi > done > > this is not tested, just top of my head > > what do you think? > > Regards > Nathan > > > > > > On Monday, March 4, 2002, at 01:06 PM, Andrew Tait wrote: > > > Hi All, > > > > I'm sure this effects just about everyone out there who runs a mail > > server. > > > > Every so often we have spammers hammering our mail servers (running > > Exim) > > attempting to relay messages. They fail of course, however they sit > > there, > > some times for several weeks, attempting e-mail address after e-mail > > address. > > > > This of course wastes our bandwidth, server resources, and fills our > > rejectlog with thousands of failed attempts. > > > > What I would like to do, is after three attempted message relays, the IP > > address gets blocked via ipchains/iptables so it can no longer access > > port > > 25. > > > > The two options I can see so far are either a program monitoring the > > rejectlog file to detect abuse, or an exim filter. > > > > Has anyone attempted to or setup a system like this? > > > > I await your thoughts. > > > > Andrew Tait > > System Administrator > > Country NetLink Pty, Ltd > > E-Mail: [EMAIL PROTECTED] > > WWW: http://www.cnl.com.au > > 30 Bank St Cobram, VIC 3644, Australia > > Ph: +61 (03) 58 711 000 > > Fax: +61 (03) 58 711 874 > > > > "It's the smell! If there is such a thing." Agent Smith - The Matrix > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
