Re: [exim] Feature Request: react on HTTP
Am 06.05.21 um 14:14 schrieb Paul Muster via Exim-users: Use fail2ban to detect these attempts in Exim's logfiles and ban the source on IP basis. Of course we do this too, but the point is, the logfile is written with a delay. If you have 10 connections in parallel, it would be easier if the server would handle it internally. Reading & parsing the logs also takes time, so, in the end, fail2ban kicks in late. Best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Feature Request: react on HTTP
On Thu, May 06, 2021 at 12:14:52PM +0200, Claus Assmann via Exim-users wrote: > On Thu, May 06, 2021, Cyborg via Exim-users wrote: > > > these are clients, that send "GET /..whatever HTTP/1.0"В as greeting. > > sendmail and postfix drop the connection at least on GET, POST, > CONNECT, e.g., > 421 4.7.0 Rejecting open proxy root@pve:~# telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 pve.x.ru ESMTP Postfix (Debian/GNU) GET / HTTP/1.0 221 2.7.0 Error: I can break rules, too. Goodbye. Connection closed by foreign host. Postfix does not violate SMTP protocol (with "421 4.7.0" response), and its authors definitely have sense of humor. :) -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Feature Request: react on HTTP
Am 06.05.2021 um 11:43 schrieb Cyborg via Exim-users: Everyone of us sees this in their logsfiles : 2021-05-06 11:07:57 no host name found for IP address 68.183.80.168 2021-05-06 11:07:58 no host name found for IP address 68.183.80.168 2021-05-06 11:07:58 SMTP call from [68.183.80.168] dropped: too many unrecognized commands (last was "Accept-Encoding: gzip, deflate") 2021-05-06 11:07:59 no host name found for IP address 68.183.80.168 2021-05-06 11:07:59 SMTP call from [68.183.80.168] dropped: too many unrecognized commands (last was "Accept-Encoding: gzip, deflate") 2021-05-06 11:08:00 no host name found for IP address 68.183.80.168 2021-05-06 11:08:00 SMTP call from [68.183.80.168] dropped: too many unrecognized commands (last was "Accept-Encoding: gzip, deflate") 2021-05-06 11:08:01 no host name found for IP address 68.183.80.168 2021-05-06 11:08:01 SMTP call from [68.183.80.168] dropped: too many unrecognized commands (last was "Accept-Encoding: gzip, deflate") these are clients, that send "GET /..whatever HTTP/1.0" as greeting. I suggest: not to wait for the usual error treshhold of smtp related errors, but instead auto disconnect and block the IP for a few minutes , because, as seen, they come back as often as you let them. Use fail2ban to detect these attempts in Exim's logfiles and ban the source on IP basis. Regards, Paul -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Feature Request: react on HTTP
On 06/05/2021 10:43, Cyborg via Exim-users wrote: these are clients, that send "GET /..whatever HTTP/1.0" as greeting. I think, that exim could be reliable Nothing is reliable when dealing in that level of bogosity. Please raise a wishlist-level bug for this. I'm thinking in terms of an acl_smtp_unrecognised, to permit such custom policy handling. I don't think it should be hardwired. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Feature Request: react on HTTP
On Thu, May 06, 2021, Cyborg via Exim-users wrote: > these are clients, that send "GET /..whatever HTTP/1.0"?? as greeting. sendmail and postfix drop the connection at least on GET, POST, CONNECT, e.g., 421 4.7.0 Rejecting open proxy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Feature Request: react on HTTP
Cyborg via Exim-users (Do 06 Mai 2021 11:43:58 CEST): > > 2021-05-06 11:07:58 no host name found for IP address 68.183.80.168 > 2021-05-06 11:07:58 SMTP call from [68.183.80.168] dropped: too many > unrecognized commands (last was "Accept-Encoding: gzip, deflate") … > I suggest: > > not to wait for the usual error treshhold of smtp related errors, but > instead auto disconnect and block the IP for a few minutes , because, as > seen, they come back as often as you let them. Shouldn't the enforcement of syncronisation already prevent this? Hm, maybe we've a mid-air collision of our banner and their HTTP request. Don't we have a max_invalid_smtp_commands threshould? Or what point I'm missing here? -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Feature Request: react on HTTP
Hi, Everyone of us sees this in their logsfiles : 2021-05-06 11:07:57 no host name found for IP address 68.183.80.168 2021-05-06 11:07:58 no host name found for IP address 68.183.80.168 2021-05-06 11:07:58 SMTP call from [68.183.80.168] dropped: too many unrecognized commands (last was "Accept-Encoding: gzip, deflate") 2021-05-06 11:07:59 no host name found for IP address 68.183.80.168 2021-05-06 11:07:59 SMTP call from [68.183.80.168] dropped: too many unrecognized commands (last was "Accept-Encoding: gzip, deflate") 2021-05-06 11:08:00 no host name found for IP address 68.183.80.168 2021-05-06 11:08:00 SMTP call from [68.183.80.168] dropped: too many unrecognized commands (last was "Accept-Encoding: gzip, deflate") 2021-05-06 11:08:01 no host name found for IP address 68.183.80.168 2021-05-06 11:08:01 SMTP call from [68.183.80.168] dropped: too many unrecognized commands (last was "Accept-Encoding: gzip, deflate") these are clients, that send "GET /..whatever HTTP/1.0" as greeting. I suggest: not to wait for the usual error treshhold of smtp related errors, but instead auto disconnect and block the IP for a few minutes , because, as seen, they come back as often as you let them. I think, that exim could be reliable detect and implement this without breaking any existing config. As a result, the world will be a better place and less hamsters got wasted in the cpus around the world. This also is a small benefit for the worlds climate, by lesser consumption of energy ;) best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/