Tom Kistner wrote: > I do this via a script I called "timeban". It's universal so it can be > used for other blocking purposes as well. Handles management of a > blocking chain. Can also manage counters per-IP so you can block IPs > after multiple infractions ... useful for SSH dictionary "attacks" too.
OK, here's the script: http://duncanthrax.net/timeban/timeban Docs and config are integrated in the script itself. To use this thing in Exim, create a macro like: IPT_TEMP_BLACKHOLE = ${run {/usr/local/bin/timeban add \ $sender_host_address}{1}{1}} (Note: this is an instant ban - read the timeban docs!) There may be the problem that the Exim user can't add iptables rules. In this case you should set up a sudo rule for /usr/local/bin/timeban. Use the macro in appropriate positions (it always expands to '1'): Example 1 (DATA ACL): drop message = Spam detected ($spam_score) condition = ${if <{$message_size}{500k}} spam = nobody condition = IPT_TEMP_BLACKHOLE Example 2 (RCPT ACL): drop message = Blacklisted sender domain sender_domains = +envelope_domain_blacklist condition = IPT_TEMP_BLACKHOLE drop message = $sender_host_address blacklisted at $dnslist_domain dnslists = list.dsbl.org:sbl-xbl.spamhaus.org condition = IPT_TEMP_BLACKHOLE If you want to use this outside of Exim, I have written a small log-surfing script that can call timeban on log events. It's undocumented FTTB, but you'll get the idea when you look at it: http://duncanthrax.net/timeban/logexec I wanted to add this to the Wiki as well but can't figure out how to add a page (can't edit the front page ... hmmm :) /tom -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
