On Mon, Jul 20, 2009 at 02:05:45PM -0300, Edison F Carbol wrote: > My server is under a kind of attack. Lot of connections are trying to > authenticate with the same username that doesn´t exist. > > I´d like to drop all connections from a specific username before smtp > authentication or any layer above. > > Is it possible to get the username at acl_smtp_auth?
When you say "from a specific username", do you mean the SMTP AUTH username? In general, you can't drop connections "from a username" without first allowing the AUTH to proceed, so you know what the username is. If your server is handling the load just fine anyway, I'd say do nothing. The unwanted traffic will probably subside soon enough. If it's *not* handling the load just fine, then the only suggestion I can offer is to see if the same IPs are "attacking" again and again, and if they are (and those IPs are *only* "attacking", they're not also performing legitimate transactions), then block the offending IP addresses; either at your firewall, or in acl_smtp_connect. (acl_smtp_connect is probably easier to implement and could even be automated; but each attacking connection still uses a non-negligible amount of server resource). -- Dave Evans http://djce.org.uk/ http://djce.org.uk/pgpkey
signature.asc
Description: Digital signature
-- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
