Ted Cooper wrote: > Chris Edwards wrote: > >> Anyone else noticing more concurrent incoming SMTP connections in last >> couple of weeks ? >> >> Chances are it's a buggy botnet, and has been discussed in various places >> including: >> >> http://blogs.msdn.com/tzink/archive/2007/09/01/new-spamming-tactic.aspx >> >> and I'm guessing is responsible for the recent "smtp_reserve_hosts" thread >> on exim-users. >> >> Suggestions seem to include lowering timeouts - which seems likely to >> break legit things. >> >> Perhaps it's time to switch our DNSBL etc tests from "deny" to "drop" mode. >> Is there any obvious downside to this ? Do most folk use drop already ? >> > > I too have noticed more bots doing this kind of behaviour and am > currently trying to figure a neat and easy way to only allow a single > connection from any 1 IP address over separate servers. > A few legitimate servers also connect multiple times so I'm at loss as > to whether this is a good idea or not. > The bots connecting to my servers haven't been hanging around and > wasting connections though, they've just been dropping connection as > soon as they get the defer from the greylist. > Changing the DNSBL verb from deny to drop may cause the bots to attempt > the connection again, but this will depend on the bot. Some of them try > again even with a deny, others try once and never come back again. > > Ted. > >
Just wondering something. I'm using the new NOTQUIT acl and looking at connections that don't use quit. I'm wondering if the failure to quit might be used as a spam indicator. Not as an absolute indicator, but just in general. Just thinking out loud here. Always looking for a spam indicator. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
