Chris Edwards wrote: > Anyone else noticing more concurrent incoming SMTP connections in last > couple of weeks ? > > Chances are it's a buggy botnet, and has been discussed in various places > including: > > http://blogs.msdn.com/tzink/archive/2007/09/01/new-spamming-tactic.aspx > > and I'm guessing is responsible for the recent "smtp_reserve_hosts" thread > on exim-users. > > Suggestions seem to include lowering timeouts - which seems likely to > break legit things. > > Perhaps it's time to switch our DNSBL etc tests from "deny" to "drop" mode. > Is there any obvious downside to this ? Do most folk use drop already ?
I too have noticed more bots doing this kind of behaviour and am currently trying to figure a neat and easy way to only allow a single connection from any 1 IP address over separate servers. A few legitimate servers also connect multiple times so I'm at loss as to whether this is a good idea or not. The bots connecting to my servers haven't been hanging around and wasting connections though, they've just been dropping connection as soon as they get the defer from the greylist. Changing the DNSBL verb from deny to drop may cause the bots to attempt the connection again, but this will depend on the bot. Some of them try again even with a deny, others try once and never come back again. Ted. -- The Exim Manual http://www.exim.org/docs.html http://www.exim.org/exim-html-current/doc/html/spec_html/index.html -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
