Mailing List Archive: Tackling Bot Blasts

Tackling Bot Blasts

exim-users at lists

May 29, 2023, 2:01 AM

Post #1 of 8 (338 views)

Hi all,

As I’m sure many of you have witnessed, there appears to be something of a concerted effort recently amongst bot-herders to test (completely free of charge) our Internet connections and servers by smashing them with hundreds of delivery attempts per second. Per second.

I cannot recall ever seeing such sustained and incredibly fast network abuse, although I’m probably in the minority.

After trying several ACLs and even inviting IPTables to the party at one stage, I still seemed powerless to prevent mainlog filling up with an inordinate amount of crap; that is until this morning.

Thanks to Jeremy Harris for recommending (to another poster) use of the DROP verb instead of DENY for a certain ACL use case. Sheepishly I changed the DENY verb to DROP and hey presto, way less noise in mainlog and far less chance of a successful delivery. I’d completely forgotten about DROP, for some strange reason only considering DISCARD as an alternative to DENY.

acl_check_rcpt:

drop
message = No host name found.
condition = ${if eq{$host_lookup_failed} {1} {1}{0}}

drop message = Too many bad recipients.
condition = ${if and {{>{$rcpt_count}{2}}{>{${eval:$rcpt_count-$recipients_count}}{2}}}{yes}{no}}

I believe the latter ACL was originally shown on this mailing list but together, these puppies work wonders for my requirements.

For now :)

Thanks again.

Pete.

Re: Tackling Bot Blasts [ In reply to ]

exim-users at lists

May 29, 2023, 8:36 AM

Post #2 of 8 (338 views)

On Mon, May 29, 2023 at 4:23?PM Pete Long via Exim-users <
exim-users@lists.exim.org> wrote:

> Hi all,
>
> As I’m sure many of you have witnessed, there appears to be something of a
> concerted effort recently amongst bot-herders to test (completely free of
> charge) our Internet connections and servers by smashing them with hundreds
> of delivery attempts per second. Per second.
>
> I cannot recall ever seeing such sustained and incredibly fast network
> abuse, although I’m probably in the minority.
>
> After trying several ACLs and even inviting IPTables to the party at one
> stage, I still seemed powerless to prevent mainlog filling up with an
> inordinate amount of crap; that is until this morning.
>
> Thanks to Jeremy Harris for recommending (to another poster) use of the
> DROP verb instead of DENY for a certain ACL use case. Sheepishly I changed
> the DENY verb to DROP and hey presto, way less noise in mainlog and far
> less chance of a successful delivery. I’d completely forgotten about DROP,
> for some strange reason only considering DISCARD as an alternative to DENY.
>
>
> acl_check_rcpt:
>
> drop
> message = No host name found.
> condition = ${if eq{$host_lookup_failed} {1} {1}{0}}
>

How about if you did the above in acl_check_connect instead of
acl_check_rcpt??

And only the below in acl_check_rcpt ?

drop message = Too many bad recipients.
> condition = ${if and
> {{>{$rcpt_count}{2}}{>{${eval:$rcpt_count-$recipients_count}}{2}}}{yes}{no}}
>

Maybe you'd save some CPU cycles?

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(?)_/¯ :-)
[How to ask smart questions:
http://www.catb.org/~esr/faqs/smart-questions.html]

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Tackling Bot Blasts [ In reply to ]

exim-users at lists

May 29, 2023, 9:24 AM

Post #3 of 8 (338 views)

D?a 29. mája 2023 9:01:56 UTC používate? Pete Long via Exim-users <exim-users@lists.exim.org> napísal:

>drop
> message = No host name found.
> condition = ${if eq{$host_lookup_failed} {1} {1}{0}}

Beware, host lookup is done by forward confirmation,
in other words, PTR followed by A/AAAA lookup. That
variable has 1 if any from them fails, not only the PTR
one... IMO too strict for real world...

Anyway, that must be enough:

condition = $host_lookup_failed

regards

--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Tackling Bot Blasts [ In reply to ]

exim-users at lists

May 29, 2023, 10:23 AM

Post #4 of 8 (338 views)

Hi Slavko!

On Mon, 29 May 2023, Slavko via Exim-users wrote:A

> Anyway, that must be enough:
>
> condition = $host_lookup_failed

or:

!verify = reverse_host_lookup

ciao
Markus
--
/ Markus Reschke \
\ madires@theca-tabellaria.de /

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Tackling Bot Blasts [ In reply to ]

exim-users at lists

May 29, 2023, 10:31 AM

Post #5 of 8 (338 views)

On 2023-05-29 18:36:18, Odhiambo Washington wrote:
> On Mon, May 29, 2023 at 4:23?PM Pete Long via Exim-users <
> exim-users@lists.exim.org> wrote:
>
> > acl_check_rcpt:
> >
> > drop
> > message = No host name found.
> > condition = ${if eq{$host_lookup_failed} {1} {1}{0}}
> >
>
> How about if you did the above in acl_check_connect instead of
> acl_check_rcpt??
>
> And only the below in acl_check_rcpt ?
>
> drop message = Too many bad recipients.
> > condition = ${if and
> > {{>{$rcpt_count}{2}}{>{${eval:$rcpt_count-$recipients_count}}{2}}}{yes}{no}}
> >
>
> Maybe you'd save some CPU cycles?

Hmm. I didn't consider expense, so that's a good point.

Below is my only acl_smtp_connect ACL.

[...]

acl_smtp_connect = acl_hosts_control

[...]

begin acl

acl_hosts_control:
accept !hosts = /etc/exim4/host_reject
endpass

Pete.

Re: Tackling Bot Blasts [ In reply to ]

exim-users at lists

May 29, 2023, 10:34 AM

Post #6 of 8 (338 views)

On Mon, May 29, 2023 at 10:01:56AM +0100, Pete Long via Exim-users wrote:

> After trying several ACLs and even inviting IPTables to the party at
> one stage, I still seemed powerless to prevent mainlog filling up
> with an inordinate amount of crap; that is until this morning.

Once I tried iptables together with the drop and edrop lists from
spamhaus. But I think all those are already dropped by my upstream
router anyway.

Re log noise:

- log_reject_target can be your friend

- some logs are just wrongly going to main IMO, I have patch(es) to
change that

--
Ian

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: Tackling Bot Blasts [ In reply to ]

exim-users at lists

May 29, 2023, 10:34 AM

Post #7 of 8 (338 views)

On 2023-05-29 16:24:36, Slavko via Exim-users wrote:
> D?a 29. mája 2023 9:01:56 UTC používate? Pete Long via Exim-users <exim-users@lists.exim.org> napísal:
>
> >drop
> > message = No host name found.
> > condition = ${if eq{$host_lookup_failed} {1} {1}{0}}
>
> Beware, host lookup is done by forward confirmation,
> in other words, PTR followed by A/AAAA lookup. That
> variable has 1 if any from them fails, not only the PTR
> one... IMO too strict for real world...
>
> Anyway, that must be enough:
>
> condition = $host_lookup_failed

Thanks Slavko for the information about the condition. I tend to agree, too
idealistic but man did I have enough of that abuse.

I should've remembered: never let the bad 'guys' dictate how you want to live
(or run a mail server). :)

Pete.

Re: Tackling Bot Blasts [ In reply to ]

exim-users at lists

May 29, 2023, 12:53 PM

Post #8 of 8 (338 views)

On 2023-05-29 10:34:14, Ian Z via Exim-users wrote:
> On Mon, May 29, 2023 at 10:01:56AM +0100, Pete Long via Exim-users wrote:
>
> > After trying several ACLs and even inviting IPTables to the party at
> > one stage, I still seemed powerless to prevent mainlog filling up
> > with an inordinate amount of crap; that is until this morning.
>
> Once I tried iptables together with the drop and edrop lists from
> spamhaus. But I think all those are already dropped by my upstream
> router anyway.
>
> Re log noise:
>
> - log_reject_target can be your friend

Thanks Ian, I'll check that one out.

Pete.