Matt Sealey wrote:
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Sprague
Sent: Monday, June 27, 2005 2:19 PM
To: [email protected]
Subject: Re: [exim] exim allowed someone to slam my mail
server for 3 hours
[EMAIL PROTECTED] wrote:
What happened here? I thought Exim is supposed to
2005-06-26 07:25:44 H=(buzz) [200.101.127.102]
F=<[EMAIL PROTECTED]> rejected RCPT
<[EMAIL PROTECTED]>:
host 200.101.127.102 is listed in brazil.blackholes.us
2005-06-26 07:25:46 H=(buzz) [200.101.127.102]
F=<[EMAIL PROTECTED]> rejected RCPT
<[EMAIL PROTECTED]>:
host 200.101.127.102 is listed in brazil.blackholes.us
Sure. You can put something like this in your rcpt ACL:
drop
condition = ${if > {${eval:$rcpt_fail_count}}{3}{true}{false}}
message = Too many failed recipients - count =
$rcpt_fail_count
This will drop the connection after 3 bad rcpt to's are done.
Right but they can just disconnect and reconnect to work around
that.
I don't see any evidence that these thousands of failures were
one single unbroken connection. How would you fix up Exim to
handle someone doing real reconnects, a new session each time?
It looks like that feature may be available v4.52. For now, you could
always setup firewall rules to block this guy and others like them.
M
--
Michael F. Sprague | [EMAIL PROTECTED]
Partner | System and Network Engineering (SaNE), Inc
use STD::disclaimer;
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
