Mailing List Archive

On 14/05/2023 18:56, Markus Reschke via Exim-users wrote:
> They take a list of common user names, add your domain name, and then loop through 100 RCPT TOs per mail.

An escalating delay per RCPT *reject* isn't hard.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sun, 14 May 2023, Jeremy Harris via Exim-users wrote:

Hi!

> On 14/05/2023 18:56, Markus Reschke via Exim-users wrote:
>> They take a list of common user names, add your domain name, and then loop
>> through 100 RCPT TOs per mail.

> An escalating delay per RCPT *reject* isn't hard.

I was able to keep each spambot's connection about 6 hours open. >:) The
drawback is that you run the same amount of exim processes all that time.
So I moved to a simple ACL rule to drop the connection when the first x
recipients are rejected:

drop message = Too many bad recipients
condition = ${if and
{{>{$rcpt_count}{5}}{=={$recipients_count}{0}}}{yes}{no}}

ciao
Markus
--
/ Markus Reschke \
\ madires@theca-tabellaria.de /


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15/05/2023 10:21, Markus Reschke via Exim-users wrote:

Firstly I thank you for raising this on the mailing list and providing help.

> I moved to a simple ACL rule to drop the connection when the
> first x recipients are rejected:
>
> drop message = Too many bad recipients
> condition = ${if and
> {{>{$rcpt_count}{5}}{=={$recipients_count}{0}}}{yes}{no}}

This works, however if a valid address is given (and everything else
about it is acceptable) in the first 5 then recipients_count is not zero
and condition does not trigger I have seen this attempted hack use
abuse@ and postmaster@ which according to RFCs must be valid.

I use:
condition = ${if and
{{>{$rcpt_count}{2}}{>{${eval:$rcpt_count-$recipients_count}}{2}}}{yes}{no}}

this allows only 2 bad recipients.

Note I have yet to see this hack use a valid address and not be rejected
for some other reason so $recipients_count has been zero anyway.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Ahoj,

D?a Sat, 20 May 2023 09:20:46 +0100 James via Exim-users
<exim-users@lists.exim.org> napísal:

> I use:
> condition = ${if and
> {{>{$rcpt_count}{2}}{>{${eval:$rcpt_count-$recipients_count}}{2}}}{yes}{no}}

Current debian's exim has something as this (i slightly rewrote it):

condition = ${if >{$rcpt_count}{10}}
condition = ${if <{$recipients_count}{${eval:$rcpt_count/2}}

It took action only after 10 recipients and when more than 50% from
them fails...

regards

--
Slavko
https://www.slavino.sk

On 20/05/2023 10:12, Slavko via Exim-users wrote:
> It took action only after 10 recipients and when more than 50% from
> them fails...

I tried a ratio threshold but with low numbers the resulting ratios are
limited (0/2, 1/2, 2/2, 0/3, 1/3, 2/3, ...) and I realised dividing was
no better than allowing 2. I can see no reason why any sane user should
send 5 bad recipients (I know do all my users, your results may vary).

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-05-20 01:20, James via Exim-users wrote:
> On 15/05/2023 10:21, Markus Reschke via Exim-users wrote:
>
> Firstly I thank you for raising this on the mailing list and providing
> help.
>
>> I moved to a simple ACL rule to drop the connection when the
>> first x recipients are rejected:
>>
>> drop  message = Too many bad recipients
>>       condition = ${if and
>> {{>{$rcpt_count}{5}}{=={$recipients_count}{0}}}{yes}{no}}
>
> This works, however if a valid address is given (and everything else
> about it is acceptable) in the first 5 then recipients_count is not zero
> and condition does not trigger  I have seen this attempted hack use
> abuse@ and postmaster@ which according to RFCs must be valid.
>
> I use:
>     condition = ${if and
> {{>{$rcpt_count}{2}}{>{${eval:$rcpt_count-$recipients_count}}{2}}}{yes}{no}}
>
> this allows only 2 bad recipients.
>
> Note I have yet to see this hack use a valid address and not be rejected
> for some other reason so $recipients_count has been zero anyway.
>

Which of the ACLs should this actually be in? I tried (though I may have
made typos) each of check_mail, check_rcpt, and check_data but it didn't
trigger at all.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hi!

On 2023-05-20 01:20, James via Exim-users wrote:
> I use:
>     condition = ${if and
> {{>{$rcpt_count}{2}}{>{${eval:$rcpt_count-$recipients_count}}{2}}}{yes}{no}}

Nice refinement!


On Sun, 21 May 2023, Alexander Carver via Exim-users wrote:

> Which of the ACLs should this actually be in? I tried (though I may have made
> typos) each of check_mail, check_rcpt, and check_data but it didn't trigger
> at all.

Should be one of the first rules in check_rcpt to stop the RCPT flooding,
as check_rcpt is run for each RCPT TO.

ciao
Markus
--
/ Markus Reschke \
\ madires@theca-tabellaria.de /

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-05-22 03:56, Markus Reschke via Exim-users wrote:
> Hi!
>
> On 2023-05-20 01:20, James via Exim-users wrote:
>> I use:
>>      condition = ${if and
>> {{>{$rcpt_count}{2}}{>{${eval:$rcpt_count-$recipients_count}}{2}}}{yes}{no}}
>
> Nice refinement!
>
>
> On Sun, 21 May 2023, Alexander Carver via Exim-users wrote:
>
>> Which of the ACLs should this actually be in? I tried (though I may
>> have made typos) each of check_mail, check_rcpt, and check_data but it
>> didn't trigger at all.
>
> Should be one of the first rules in check_rcpt to stop the RCPT
> flooding, as check_rcpt is run for each RCPT TO.
>
> ciao
>  Markus

Wonderful thanks, got it working (I did indeed have a typo)

Hopefully the sudden bot storm dies down soon. But at least with this
wonderful rule my log files aren't filling up quite so quickly.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/