I've been toying with the idea of slowing down spammers. I tried this in my exim.conf: DELAY1=60s DELAYCONN=10s acl_smtp_auth = accept delay=DELAY1 acl_smtp_connect = accept delay=DELAYCONN acl_smtp_data = accept delay=DELAY1 acl_smtp_helo = accept delay=DELAY1 acl_smtp_mail = accept delay=DELAY1 acl_smtp_mailauth = accept delay=DELAY1 acl_smtp_predata = accept delay=DELAY1 acl_smtp_quit = accept delay=DELAY1 acl_smtp_starttls = accept delay=DELAY1 acl_smtp_rcpt = accept delay=DELAY1 acl_smtp_etrn = accept delay=DELAY1 acl_smtp_expn = accept delay=DELAY1 acl_smtp_vrfy = accept delay=DELAY1
Before someone screems "OPEN RELAY" it's not. There's only 1 router and the transport for that delivers to a file, it does not have the ability to send email via the network in any form. I've noticed that they don't seem to want to try to send mail through it. A few entries in my log: 2005-09-29 20:56:23 SMTP connection from [141.156.179.19]:1332 I=[]:25 (TCP/IP connection count = 1) 2005-09-29 20:57:37 SMTP connection from pool-141-156-179-19.esr.east.verizon.net [141.156.179.19]:1332 I=[]:25 lost 2005-09-29 21:32:48 SMTP connection from [219.133.174.149]:4686 I=[]:25 (TCP/IP connection count = 1) 2005-09-29 21:32:49 no host name found for IP address 219.133.174.149 2005-09-29 21:34:01 SMTP connection from (216.98.75.12) [219.133.174.149]:4686 I=[]:25 lost I have plenty others in the log (hundreds actually). The IP of the server was removed to not expose the system. It has many IPs assigned to it and none of them are the server I'm using for this message nor my backup server. I didn't want the IPs listed as they would be searchable by goodle and other engines and it could be ignored by the abusers (it's a honey pot actually) Ok, with that out of the way, I had DELAY1 set to 49s and noticed that the spammers would complete the message (Seems they are doing relay tests, subject line is always BC_aaa.bbb.ccc.ddd where aaa.bbb.ccc.ddd is the local IP) What's the thoughts about doing this on a production system: (Of course this will break call outs, can be adjusted to handle that specifically) On connect: delay 5-10 sec (not if you expect call outs) HELO: delay 30 sec (same) MAIL: delay 60 sec if the envelope sender is not NULL RCPT: delay 60 sec if sender not NULL DATA: delay 60 sec (pre and post) and if the sender IP has not hung up at this point and did completely send the message, log the IP somewhere and never delay this IP again (since it's now known to handle delays) Just by looking at the logs on the abused machine, this seems like it would work well. On the other hand, I had AOL blocked due to issues with my rDNS (I know, but if I can't report abuse, I don't accept any form of connections from the other end) and had I think 90s or higher delays and they would continue to hammer the server until blocked at the IP level. I'd like to know what the thoughts of others are on this. I'm only concerned about MTA(or random spammer)->MTA transactions not MUA->MTA transactions. If anyone would like to verify this machine is not an open relay, you may contact me off list and I'll give you the IPs of the system. It's there to take abuse but not to relay abuse. -- Lab tests show that use of micro$oft causes cancer in lab animals Got Gas??? -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
