Re: [exim] exim allowed someone to slam my mail server for 3 hours

Mon, 27 Jun 2005 13:22:14 -0700 

On 27/06/05, Michael Sprague <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> > What happened here?  I thought Exim is supposed to disconnect people if
> > they cause too many errors in their connection?  Why did Exim allow the
> > one host to make 38,000 requests in 3 hours within just 1 connection?
> >
> > Here what I see in my logs:
> >
> > 2005-06-26 07:25:32 SMTP connection from [200.101.127.102] (TCP/IP
> > connection count = 1)
> > 2005-06-26 07:25:34 H=(buzz) [200.101.127.102]
> > F=<[EMAIL PROTECTED]> rejected RCPT <[EMAIL PROTECTED]>:
> > host 200.101.127.102 is listed in brazil.blackholes.us
> > 2005-06-26 07:25:40 H=(buzz) [200.101.127.102]
> > F=<[EMAIL PROTECTED]> rejected RCPT <[EMAIL PROTECTED]>:
> > host 200.101.127.102 is listed in brazil.blackholes.us
> > 2005-06-26 07:25:44 H=(buzz) [200.101.127.102]
> > F=<[EMAIL PROTECTED]> rejected RCPT <[EMAIL PROTECTED]>:
> > host 200.101.127.102 is listed in brazil.blackholes.us
> > 2005-06-26 07:25:46 H=(buzz) [200.101.127.102]
> > F=<[EMAIL PROTECTED]> rejected RCPT <[EMAIL PROTECTED]>:
> > host 200.101.127.102 is listed in brazil.blackholes.us
> >
> > That message repeats thousands of times for 3 hours, then:
> > 2005-06-26 10:36:28 SMTP syntax error in "SAIR" H=(buzz)
> > [200.101.127.102] unrecognized command
> > 2005-06-26 10:36:29 unexpected disconnection while reading SMTP command
> > from (buzz) [200.101.127.102]
> >
> > Isn't there a way to disconnect a host if they cause too many errors in
> > the SMTP dialogue?
> >
> 
> Sure.  You can put something like this in your rcpt ACL:
> 
> drop
>   condition      = ${if > {${eval:$rcpt_fail_count}}{3}{true}{false}}
>   message        = Too many failed recipients - count = $rcpt_fail_count
> 
> This will drop the connection after 3 bad rcpt to's are done.

We do exactly that, but we also save the IP to feed a local DNSBL and
reject on connect the next time they come along.

Peter


-- 
Peter Bowyer
Email: [EMAIL PROTECTED]
Tel: +44 1296 768003
VoIP: sip:[EMAIL PROTECTED]

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Reply via email to