New Kind of Mail Atack? My load goes to 300 tonight

[IRCBrasil]

Hi,

Tonight i had a surprise with my celphone receinving a notification from my server with high load, so, after 10 minutes i could ssh into then, stop all services and see the troble:

Take a look in a litle part of my /var/log/exim_mainlong

2006-01-21 09:22:38 1F0GpJ-0007kf-2w H=(alex) [201.40.9.66]:50201 I=[70.86.232.42]:25 F=<leal@emtursa.com.br> rejected after DATA: Spam score too high (28.3)
2006-01-21 09:22:38 SMTP connection from [201.40.9.66]:50229 I=[70.86.232.42]:25 (TCP/IP connection count = 33)
2006-01-21 09:22:48 SMTP connection from [201.40.9.66]:50291 I=[70.86.232.42]:25 (TCP/IP connection count = 34)
2006-01-21 09:22:49 SMTP command timeout on connection from (alex) [201.40.9.66]:50035 I=[70.86.232.42]:25
2006-01-21 09:22:51 SMTP command timeout on connection from (alex) [201.40.9.66]:50170 I=[70.86.232.42]:25
2006-01-21 09:22:51 SMTP command timeout on connection from (alex) [201.40.9.66]:50118 I=[70.86.232.42]:25
2006-01-21 09:23:00 SMTP command timeout on connection from (alex) [201.40.9.66]:50288 I=[70.86.232.42]:25
2006-01-21 09:23:05 SMTP connection from [201.40.9.66]:50434 I=[70.86.232.42]:25 (TCP/IP connection count = 30)
2006-01-21 09:23:08 SMTP connection from [201.40.9.66]:50478 I=[70.86.232.42]:25 (TCP/IP connection count = 31)
2006-01-21 09:23:10 1F0Gpp-000077-4Q H=(alex) [201.40.9.66]:50434 I=[70.86.232.42]:25 F=<leal@emtursa.com.br> rejected after DATA: Spam score too high (28.3)
2006-01-21 09:23:13 1F0Gpr-000077-QJ H=(alex) [201.40.9.66]:50434 I=[70.86.232.42]:25 F=<leal@emtursa.com.br> rejected after DATA: Spam score too high (28.3)
2006-01-21 09:23:13 1F0Gps-0007Ou-6E H=(alex) [201.40.9.66]:50478 I=[70.86.232.42]:25 F=<leal@emtursa.com.br> rejected after DATA: Spam score too high (28.3)
2006-01-21 09:23:14 SMTP command timeout on connection from (alex) [201.40.9.66]:50339 I=[70.86.232.42]:25

root@matrix [~]# cat /var/log/exim_mainlog |grep -c 201.40.9.66
10512

The only solution that i found was doing an apf -d 201.40.9.66

I would know if there are some script to block this kind of atack automactily.

I read about ratelimit on exim 4.60, there are someone using it yet?

Sugestions will be very apreciated.

Thank you,

André Marcelo

[chirpy]

In that situation, smtp_accept_max_per_host would probably help by only allowing X number of connections from any single IP address at a time. Couple that with a dictionary attack ACL should bring it under control:
http://www.configserver.com/free/eximdeny.html

[IRCBrasil]

In that situation, smtp_accept_max_per_host would probably help by only allowing X number of connections from any single IP address at a time. Couple that with a dictionary attack ACL should bring it under control:
http://www.configserver.com/free/eximdeny.html

But in this case, if i set smtp_accept_max_per_host it will affect localhost too? for example a custumer sending a mail list will be afected ?

Thanks.

[chirpy]

I've not played with it, so don't know if it also affects localhost