Dictionary SPAM Attack !!! Please help. All my tweaks failed

**rs-freddo** · 08-11-2004 02:48 AM

If you use :blackhole: then exim accepts the email, processes it through all your RBL's and other assorted rules you have - then deletes it.

**chirpy** · 08-11-2004 11:41 AM

The Dictionary Attack ACL you mentioned will only be effective if you have your Default Addresses set to :fail: and you have the recipient check (which you should since it's been in the cPanel default configuration for months now). Using it should definitely not increase server load, quite the contrary, since mail will be stopped at the RCPT.

However, there is a major flaw in that ACL and the like, since most put in a delay which on a badly attacked server will cause an effective DOS on exim because you'll soon use all your child processes up with waiting exim processes. If you remove this line, that will be prevented:
delay = ${eval:30*$rcpt_fail_count}s

The disadvantage of removing the line, is that the attacker will often reconnect and try again straight away. My experience has shown that many do, but enough don't to make a significant difference.

I'm actually working on a far better ACL which stores dictionary attack IPs and allows you to either block them at the MTA or iptables firewall. I'll post a link in the Addons forum when it's ready.

**rs-freddo** · 08-11-2004 06:19 PM

Originally Posted by chirpy

I'm actually working on a far better ACL which stores dictionary attack IPs and allows you to either block them at the MTA or iptables firewall. I'll post a link in the Addons forum when it's ready.

Well I'm interested in seeing that, for me blocking at MTA is enough, I don't like blocking completely (ie. all services via firewall).

**checked** · 08-12-2004 07:02 AM

Thank You guys for helping me and getting me out of this trouble.

And also thankx chirpy for clearing my doubts

**Juanra** · 08-16-2004 09:23 AM

Chirpy, take a look at this ACL by Alan J. Flavell:

http://article.gmane.org/gmane.mail.exim.user/19366

The only problem is that it also blocks legitimate users who:
a) don't authenticate, and
b) forget to do pop before smtp auth
before sending an email to multiple recipients, so a fix for that should be found (I haven't put a lot of thought into it, but I guess it should be easy).

**chirpy** · 08-16-2004 10:17 AM

That's very close indeed to what I've developed, except I don't do the delays and do check the file for duplicates so it doesn't get too big. I am using different criteria and not had any complaints about people getting themselves blocked as yet.

I'll put up a web page shrtly on how to implement it.

**chirpy** · 08-16-2004 11:14 AM

Here it is:
http://www.configserver.com/free/eximdeny.html

**rs-freddo** · 08-16-2004 05:56 PM

That looks very simple and elegant, nice solution.

I may amend that script to allow cron to remove IP's after a week or so. That'll stop the file from becoming too big.

**icanectc** · 10-06-2004 07:42 PM

Chripy I setup your deny list, however now all we get is 550 Admin Prohibition errors when sending emails. the minute I remove the accept hosts; line exim starts working again. Any ideas?

**chirpy** · 10-07-2004 04:11 AM

Hi,

I would guess that you either probably deleted a valid line or blank line by mistake. Blank lines in exim.conf can be very important. Make sure that after adding the ACL that the top of that middle box in the first set of 3 in the Exim Configuration Editor, look like this:

Code:

#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :

  drop hosts = /etc/exim_deny
       message = Connection denied after dictionary attack
       log_message = Connection denied from $sender_host_address after dictionary attack

  drop  message   = Appears to be a dictionary attack
        log_message = Dictionary attack (after $rcpt_fail_count failures)
        condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
        condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
        !verify   = recipient

  # Accept bounces to lists even if callbacks or other checks would fail

**icanectc** · 10-07-2004 10:31 AM

I know what happened I removed the accept statement. It was my fault. I was trying to find this post but couldn't lol. Thanks Chirpy that script is working like a charm!

**linux-image** · 10-09-2004 06:14 AM

thank you Jonathan; the script really worked

**pphillips** · 11-29-2004 12:22 PM

We have a customer that gets about 500,000 spams a day dictionary attack-style. I implemented this dictionary rule and it seemed to work at first, but now after only a few days there are over 100,000 IP's in the deny_exim file and the load gets up to 50.0. What to do now??

**rvskin** · 11-29-2004 12:32 PM

pphillips, if I am you, I will implement RBL, and HELO testing to reduce the IP being listed in the deny_exim file.

**chirpy** · 11-29-2004 01:08 PM

No, adding an RBL would increase load, not decrease it compared to a dictionary attack ACL because of the additional burden of the DNS lookups. Any RBL lookups should always be done after the dictionary attack ACL.

pphillips, did you implement an hourly or daily cron as instructed to on the web page clear down the exim_deny file? If you don't do that your load will increase. The idea is to stop the attacks while they're happening then to remove the IP address once it has stopped.

LinkBack

Thread Tools

reinstall dictionary attack?

How to stop Dictionary Name attack

Dictionary Attack

Which is the best Option to stop dictionary Attack SPAM

Dictionary attack