Re: grokking exim4 and slowing spammers with iptables -m recent
On 11/23/2005 12:30 AM, Tony Godshall wrote:
>
> Hi folks.
>
> I've been using Exim since I started doing e-mail on my Debian box
> many years ago. But I never was able to really get into its configs-
> the docs are kind of hard to grok for me. And the exim4 configs
> really make my brain hurt... I can't tell where the settings are
> without doing a 'grep ptn /etc/default/exim* /etc/exim4.config $(find
> /etc/exim4/. -type f)' and event then I have trouble. Thank goodness
> the dpkg reconfigure does a good job.
>
> Anyhow, I've had a domain for a decade where my hosting svc used to
> forward *all* e-mail to me, and spammers made up usernames and passed
> them around. Ultimately the load became too heavy for his servers
> and he wasn't inclined to fix the config, so I pointed the MX to my
> DSL line and took it inhouse- Exim handles it very well.
>
> Getting to the point, I now have tons of "Unroutable address" logs
> like this in my /var/log/exim4/mainlog...
>
> 2005-11-22 12:34:53 H=adsl-63-195-120-242.dsl.snfc21.pacbell.net
> (thesitefights.com) [63.195.120.242]
> F=<connie.cisneros_qx@adelphia.com> rejected RCPT <middleton@of.net>:
> Unrouteable address
>
> What I'd love to do is trigger an action in those cases- something
> like ..
>
> echo 63.195.120.242 \
>> /proc/net/ipt_recent/smtp_penalty_box
>
> ...which would trigger something like...
>
> iptables -A INPUT \ -m recent --name smtp_penalty_box --rcheck
> --seconds 60 \ -j DROP
>
> ...and effectively block that sender for a minute.
>
> Yes, I know about tarpit, and it's cool, but I don't really want to
> do a complete tarpit in these circumstances (it could trigger in
> legit cases too)- I want to slow down senders who are using logs of
> made-up addresses.
>
> So my question is... Can you tell me or point me toward where I
> would put my "echo to the penalty box" in the Exim4 configs?
>
> Best Regards,
>
> Tony
Just a guess: Use fail2ban, point it to exim4/mainlog, set
/etc/fail2ban.conf to trigger 'Unrouteable' to ban the offending IP
(uses iptables).
Regards.
Reply to: