Re: grokking exim4 and slowing spammers with iptables -m recent

To: debian-user@lists.debian.org
Subject: Re: grokking exim4 and slowing spammers with iptables -m recent
From: Ralph Katz <ralph.katz@rcn.com>
Date: Wed, 23 Nov 2005 09:43:13 -0500
Message-id: <[🔎] 43848001.9040501@rcn.com>
In-reply-to: <5bVmS-6Xa-7@gated-at.bofh.it>
References: <5bVmS-6Xa-7@gated-at.bofh.it>

On 11/23/2005 12:30 AM, Tony Godshall wrote:
> 
> Hi folks.
> 
> I've been using Exim since I started doing e-mail on my Debian box
> many years ago.  But I never was able to really get into its configs-
> the docs are kind of hard to grok for me.  And the exim4 configs
> really make my brain hurt... I can't tell where the settings are
> without doing a 'grep ptn /etc/default/exim* /etc/exim4.config $(find
> /etc/exim4/. -type f)' and event then I have trouble.  Thank goodness
>  the dpkg reconfigure does a good job.
> 
> Anyhow, I've had a domain for a decade where my hosting svc used to
> forward *all* e-mail to me, and spammers made up usernames and passed
> them around.  Ultimately the load became too heavy for his servers
> and he wasn't inclined to fix the config, so I pointed the MX to my
> DSL line and took it inhouse- Exim handles it very well.
> 
> Getting to the point, I now have tons of "Unroutable address" logs
> like this in my /var/log/exim4/mainlog...
> 
> 2005-11-22 12:34:53 H=adsl-63-195-120-242.dsl.snfc21.pacbell.net
> (thesitefights.com) [63.195.120.242]
> F=<connie.cisneros_qx@adelphia.com> rejected RCPT <middleton@of.net>:
> Unrouteable address
> 
> What I'd love to do is trigger an action in those cases- something
> like ..
> 
> echo 63.195.120.242 \
>> /proc/net/ipt_recent/smtp_penalty_box
> 
> ...which would trigger something like...
> 
> iptables -A INPUT \ -m recent --name smtp_penalty_box --rcheck
> --seconds 60 \ -j DROP
> 
> ...and effectively block that sender for a minute.
> 
> Yes, I know about tarpit, and it's cool, but I don't really want to
> do a complete tarpit in these circumstances (it could trigger in
> legit cases too)- I want to slow down senders who are using logs of
> made-up addresses.
> 
> So my question is...  Can you tell me or point me toward where I
> would put my "echo to the penalty box" in the Exim4 configs?
> 
> Best Regards,
> 
> Tony

Just a guess:  Use fail2ban, point it to exim4/mainlog, set
/etc/fail2ban.conf to trigger 'Unrouteable' to ban the offending IP
(uses iptables).

Regards.

Reply to:

Follow-Ups:
- Re: grokking exim4 and slowing spammers with iptables -m recent
  - From: Tony Godshall <togo@of.net>

Prev by Date: Re: Voice recognition
Next by Date: Re: mplayer and mp3s
Previous by thread: grokking exim4 and slowing spammers with iptables -m recent
Next by thread: Re: grokking exim4 and slowing spammers with iptables -m recent
Index(es):
- Date
- Thread