Mailing List Archive: Excessive "bad recipient" messages in syslog

Excessive "bad recipient" messages in syslog

exim-users at lists

May 28, 2023, 2:09 PM

Post #1 of 7 (291 views)

It seems like some of the spammers have changed tactics and are now sending messages with 98 or so bad RCPT addresses, which (happily) Exim detects. But now I’m getting a flood of messages in syslog, such as:

2023-05-28 00:24:39 REJECT [168.121.195.104]: bad recipient count high [9]
2023-05-28 00:24:39 H=([168.121.195.104]) [168.121.195.104] F=<70g3gpds9l3n8@vogk.ru>
rejected RCPT <comercial@bluepopcorn.net>: Rejected for too many bad recipients

…many lines deleted…

2023-05-28 00:24:39 REJECT [168.121.195.104]: bad recipient count high [98]
2023-05-28 00:24:39 H=([168.121.195.104]) [168.121.195.104] F=<70g3gpds9l3n8@vogk.ru> rejected RCPT <admin@bluepopcorn.net>: Rejected for too many bad recipients

I can easily change the configuration to make this happen silently, but I would like some visibility that this is happening, for example, in my daily logwatch output. Has anyone devised a way to cut down on the number of messages without eliminating them entirely?

-Jim

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Excessive "bad recipient" messages in syslog [ In reply to ]

exim-users at lists

May 28, 2023, 2:32 PM

Post #2 of 7 (291 views)

On 28/05/2023 22:09, Jim Fenton via Exim-users wrote:
> Has anyone devised a way to cut down on the number of messages without eliminating them entirely?

Assuming you're using a "deny" verb in the RCPT ACL for this
condition, if the spammer merrily carries on with a further
bad recipient for this same message you'll be getting yet
another such log line...

You could consider a "drop" verb. And then worry if they'll
just try connecting again (at which point you look into
"seen" or "ratelimit" actions).

Or you could consider an escalating delay, every time you
detect the condition.
--
Cheers,
Jeremy

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Excessive "bad recipient" messages in syslog [ In reply to ]

exim-users at lists

May 29, 2023, 1:40 AM

Post #3 of 7 (291 views)

Hi,

Am 28.05.23 um 23:32 schrieb Jeremy Harris via Exim-users:
> Or you could consider an escalating delay, every time you detect the
> condition.

Can you point on a good example for such a tearpit , I thought about
using those on servers that have nothing else to do, just to troll the
attackers and bind ressources :D

Best regards,
Marius

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Excessive "bad recipient" messages in syslog [ In reply to ]

exim-users at lists

May 29, 2023, 1:30 PM

Post #4 of 7 (291 views)

On 29/05/2023 09:40, Cyborg via Exim-users wrote:
> Am 28.05.23 um 23:32 schrieb Jeremy Harris via Exim-users:
>> Or you could consider an escalating delay, every time you detect the condition.
>
> Can you point on a good example for such a tearpit

No, but without thinking too hard:

(in rcpt acl)

deny condition = <stupid spammer>
set acl_c_stupid_spammer_delay = ${eval:$acl_c_stupid_spammer+5}
delay = ${acl_c_stupid_spammer_delay}s

--
Cheers,
Jeremy

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Excessive "bad recipient" messages in syslog [ In reply to ]

exim-users at lists

May 31, 2023, 7:22 AM

Post #5 of 7 (291 views)

I've been following this particular botnet pretty closely. It's an
incredible one. If anyone is interested, I have a list of IPs of this
botnet that increase daily:
https://github.com/mxroute/da_server_updates/blob/master/sec/botnet.list

It's been a good while since I've seen a botnet this persistent and slow
to reveal itself. Usually one of this size blows it's wad all in one go
and you can list out every currently infected PC/IP in a day or so. This
one seems to either be taking it's time, or is adding new systems to
it's list at a very solid pace.

On 2023-05-28 16:09, Jim Fenton via Exim-users wrote:

> It seems like some of the spammers have changed tactics and are now
> sending messages with 98 or so bad RCPT addresses, which (happily) Exim
> detects. But now I'm getting a flood of messages in syslog, such as:
>
> 2023-05-28 00:24:39 REJECT [168.121.195.104]: bad recipient count high
> [9]
> 2023-05-28 00:24:39 H=([168.121.195.104]) [168.121.195.104]
> F=<70g3gpds9l3n8@vogk.ru>
> rejected RCPT <comercial@bluepopcorn.net>: Rejected for too many bad
> recipients
>
> …many lines deleted…
>
> 2023-05-28 00:24:39 REJECT [168.121.195.104]: bad recipient count high
> [98]
> 2023-05-28 00:24:39 H=([168.121.195.104]) [168.121.195.104]
> F=<70g3gpds9l3n8@vogk.ru> rejected RCPT <admin@bluepopcorn.net>:
> Rejected for too many bad recipients
>
> I can easily change the configuration to make this happen silently, but
> I would like some visibility that this is happening, for example, in my
> daily logwatch output. Has anyone devised a way to cut down on the
> number of messages without eliminating them entirely?
>
> -Jim

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Excessive "bad recipient" messages in syslog [ In reply to ]

exim-users at lists

May 31, 2023, 9:06 AM

Post #6 of 7 (290 views)

On Sun, 28 May 2023, Jim Fenton via Exim-users wrote:

> I can easily change the configuration to make this happen silently,
> but I would like some visibility that this is happening, for
> example, in my daily logwatch output. Has anyone devised a way to
> cut down on the number of messages without eliminating them
> entirely?

exim supports rate-limiting - allowing something to happen,
but not more than n actions in time peroid t (plus extra knobs).

I image you could rate-limit a logging action and have a separate
action to actually block the message that is not rate-limited.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Excessive "bad recipient" messages in syslog [ In reply to ]

exim-users at lists

May 31, 2023, 10:32 AM

Post #7 of 7 (290 views)

This IP (168.121.195.104) is currently listed in the XBL, CSS and PBL at
Spamhaus

On 5/31/23 07:22, Jarland Donnell via Exim-users wrote:
>
>
> I've been following this particular botnet pretty closely. It's an
> incredible one. If anyone is interested, I have a list of IPs of this
> botnet that increase daily:
> https://github.com/mxroute/da_server_updates/blob/master/sec/botnet.list
>
> It's been a good while since I've seen a botnet this persistent and slow
> to reveal itself. Usually one of this size blows it's wad all in one go
> and you can list out every currently infected PC/IP in a day or so. This
> one seems to either be taking it's time, or is adding new systems to
> it's list at a very solid pace.
>
> On 2023-05-28 16:09, Jim Fenton via Exim-users wrote:
>
>> It seems like some of the spammers have changed tactics and are now
>> sending messages with 98 or so bad RCPT addresses, which (happily)
>> Exim detects. But now I'm getting a flood of messages in syslog, such as:
>>
>> 2023-05-28 00:24:39 REJECT [168.121.195.104]: bad recipient count high
>> [9]
>> 2023-05-28 00:24:39 H=([168.121.195.104]) [168.121.195.104]
>> F=<70g3gpds9l3n8@vogk.ru>
>> rejected RCPT <comercial@bluepopcorn.net>: Rejected for too many bad
>> recipients
>>
>> …many lines deleted…
>>
>> 2023-05-28 00:24:39 REJECT [168.121.195.104]: bad recipient count high
>> [98]
>> 2023-05-28 00:24:39 H=([168.121.195.104]) [168.121.195.104]
>> F=<70g3gpds9l3n8@vogk.ru> rejected RCPT <admin@bluepopcorn.net>:
>> Rejected for too many bad recipients
>>
>> I can easily change the configuration to make this happen silently,
>> but I would like some visibility that this is happening, for example,
>> in my daily logwatch output. Has anyone devised a way to cut down on
>> the number of messages without eliminating them entirely?
>>
>> -Jim
>

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/