Exim attacks

2 posts Page 1 of 1
twofus
Junior Member
Posts: 2
Joined: 14 Feb 2019, 15:07


Suggestion - block Exim attacks that are designed to degrade server performance:

Log files below of the issue (IP used is arbitrary). CENTOS 7 server.

Log directory:
/var/log/exim_mainlog

2019-02-13 18:51:46.727 [32754] no MAIL in SMTP connection from [180.119.68.17]:53797 I=[xx.xx.xx.xx]:25 D=10s
2019-02-13 18:51:57.453 [32756] no MAIL in SMTP connection from [180.119.68.17]:57662 I=[xx.xx.xx.xx]:25 D=10s
2019-02-13 18:52:08.176 [307] no MAIL in SMTP connection from [180.119.68.17]:62178 I=[xx.xx.xx.xx]:25 D=10s
2019-02-13 18:52:18.922 [315] no MAIL in SMTP connection from [180.119.68.17]:51659 I=[xx.xx.xx.xx]:25 D=10s

Hundreds or thousands of these within seconds, many times from numerous IP's. Limit connections doesn't catch them.

I would like to see a perm block triggered after 5 such fails in any 1 second period.

Thanks for the consideration
AdminWonder
Junior Member
Posts: 12
Joined: 25 Feb 2014, 16:26


Your suggestion is the one at all. It is implemented a long time ago and has nothing to do with exim. Simply remove the initial signature until the IP and have permanant blocking activated. I have been using this since years now.
2 posts Page 1 of 1