David Saez Padros wrote: > Hi !! > > >>It appears we are under a DOS attack. I see a bunch of >>"refused: too many connections" and people attempting >>to send email get "421...too many SMTP...". Running >>"exiwhat" shows a bunch of "handling" lines from many >>IP addresses (diverse IP addresses). Searching the >>internet, I could not locate specific solutions to >>this problem. Can someone out there who has dealt with >>this provide some advise on how I can proceed to >>correct this situation? Would Exim4 options such as >>"sender = verify" make a difference in this situation? > > > from my experience in similar situations what helped in > having situation under control was examining the logs to > find common patterns (helo, sender addresses, recipients, > etc ...) and then build new acl rules to reject that attempts > as fast as possible, if possible avoiding dns and/or database > lookups and callouts.
DNS for sure, and RBL sometimes, are faster than you might think. And both Exim and (most) 'nearest' DNS cache lookup results for long enough to save a second or subsequent callout. > In most cases sender addresses are > addresses that virus found in the infected computer and > that no longer exists, so something than "deny senders =" > on top of mail acl could help a lot, also true for commonly > recipient dictionary attacks to addreses you possibly don't > have (mary, fred, joe, ...) which you can deny on rcpt > with "deny local_parts = fred:mary:.." wihtout having to > do a "verify = recipient" (which will take more cpu) Surely you jest? Putting multi-brazillons of dictionery-created non-existent local parts into *any of* an acl (hard-wired) or as a lookup of a local flat file, db/cdb file, or SQL RDBMS is simply not on, admin-wise and gets slower as it grows. The number of 'possible' local_parts is well short of aleph-null, but always several orders of magnitude larger than the number of legitimate local parts, so verify = recipients is not so slow at the end of the day. > > Also a cdb local blacklist rejecting at smtp connect and > built based on other acl rules rejections help a lot. > 'Yes but' - put only the worst of chronic offenders in it so it is rapidly traversed and more likely to justify the lookup time than a massive list. > As W B Hacker psoted is important to tweak exim load control > parameters to avoid that all the server gets down when this > happens. > Bill -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
