Hi, Dňa Mon, 19 Jul 2021 00:34:40 +0100 Tim Bray via mailop <mailop@mailop.org> napísal:
> I didn't really get on with fail2ban. I do have it running, but it > pulls very little for exim. > > I did write my own script to follow the exim mainlog with a bunch of > regexp and drop IP addresses into ipset. (task for future is to > make it work nft natively) i have a lot custom rules in it, to catch even my own log messages (exim's logwrite, log_message and/or message stuff). It works well for my config and offending IP, of course fails in this case as IP doesn't repeats. I do block for relative short time (1 hour) to quick reveal of false positives, and i use f2b's recidive jail to add long block on repeating hosts. If you want, be free to contact me off list, i can help you with it. There is not need to do own parsing, when f2b can do it for you. > acl_connect: > accept hosts = * > delay = 6s I have RBL & PTR checks in connect ACL. It works well, as it ads timeout too (even bigger on some failing PTR checks). But i have separate exim for MX & MSA, thus i can simple distinguish AUTH access (and abuse) from incoming mails in this ACL. The problem with rejecting connection is, that many clients consider it as network failure and repeats constantly, even when they got own timeout (disconnects before got answer). But thanks to f2b, they are blocked shortly and thus it is effective. > - this confuses some botnets. Some are confused by multiline banner too, they are then caught as out of sync by exim ;-) But, eg. rspamd's reporting is confused too... I noticed that recent exim adds connect pipelining, but i use older version yet. > obviously somebody might write a better botnet email client .... or they abuse real MTA for delivery... > I'm also lucky that our usernames follow a bit of a format which > isn't the email address. Seems quite common for bots to have a few > guesses about what the username might be - again, easy to block. I agree. While it is not about security, one can simply distinguish login attempts on harvested email addresses. I use this approach for years, and where it is (was) not possible, i never do use email address which is login name, but its aliases. But nowadays gmail's generation doesn't know about aliases... > My main motivation for getting the blocking right is to avoid having > 1000s of connections from scanners, and so real mail not getting > through. Sure, blocking them is mostly not due security (but it counts too), but about saving own resources. Most of the (one shot) abusers then move away, to find more simpler target. But some have "long cable" and try to "break wall by head" (in quotes raw translation of our idioms). For now it seems, that this SMTP attack is gone, and i can to enjoy on the next one... regards -- Slavko http://slavino.sk
pgpPZHrdA2cyh.pgp
Description: Digitálny podpis OpenPGP
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
