Exim attack - "no IP address found for host" - causing high cpu load

N

nat

Well-Known Member
Jan 16, 2003
209
0
166
-------------

a few seconds in /var/log/exim_mainlog

2005-02-06 11:23:57 no IP address found for host 2835.216.255.60 (during SMTP connection from (host58-136.pool8249.interbusiness.it) [82.49.136.58])
2005-02-06 11:23:57 no IP address found for host 2835.216.255.60 (during SMTP connection from (0x50a141c8.boanxx14.adsl-dhcp.tele.dk) [80.161.65.200])
2005-02-06 11:23:58 no IP address found for host 2835.216.255.60 (during SMTP connection from (word.it) [220.81.103.208])
2005-02-06 11:23:59 no IP address found for host 2835.216.255.60 (during SMTP connection from h0040d00b712b.ne.client2.attbi.com [66.30.87.143])
2005-02-06 11:24:00 no IP address found for host 2835.216.255.60 (during SMTP connection from (69.72.194.186) [220.84.194.27])
2005-02-06 11:24:00 no IP address found for host 2835.216.255.60 (during SMTP connection from ppp-61.90.27.32.revip.asianet.co.th [61.90.27.32])
2005-02-06 11:24:01 no IP address found for host 2835.216.255.60 (during SMTP connection from (mail.biglaketransport.com) [65.69.37.250])
2005-02-06 11:24:02 no IP address found for host 2835.216.255.60 (during SMTP connection from (pcp01102026pcs.pntiac01.mi.comcast.net) [68.61.236.68])

-------------

CPU usage over 24 hour time period.

mailnull 87.97 4.36 0.0
Top Process %CPU 91.5 /usr/sbin/exim -bd -q60m
Top Process %CPU 91.0 /usr/sbin/exim -bd -q60m
Top Process %CPU 79.8 /usr/sbin/exim -bd -q60m

There are only 82 e-mails in queue and have deleted them.

-------------


1. I have already setup the dictionary attack acl. http://www.configserver.com/free/eximdeny.html

1b. Since the dictionary attack acl does not catch this, i did this to add the ips to /etc/exim_deny:

tail -f /var/log/exim_mainlog | grep --line-buffered "no IP address found for host" | grep --line-buffered -P "\d+\.\d+\.\d+\.\d+" -o >> /etc/exim_deny &

2. I also use the following RBL's:

dnslists = brazil.blackholes.us : \
malaysia.blackholes.us : \
china.blackholes.us : \
sbl-xbl.spamhaus.org : \
bl.spamcop.net : \
relays.ordb.org : \
cbl.abuseat.org : \
blackholes.mail-abuse.org : \
spam.dnsrbl.net : \
opm.blitzed.org

3. I have also removed the rbl's and dictional attack acl from exim to see if that help. (it didn't so I added them back and they are working)

My load has exceeded 40.


Any ideas?
 
Last edited:
chirpy

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
That's pretty odd. Do you have any added EHLO/HELO checking in your ACL's in exim.conf?

I'm wondering if the domain name 2835.216.255.60 is confusing exim because it thinks it is an IP address (which of course it isn't).

It might be possible to use the following before where you would have put the dictionary attack ACL:

Code: 
 deny message = Rejected
         hosts = 2835.216.255.60

 deny message = Rejected
         domains = 2835.216.255.60
Might need tweaking. Feel free to PM me if you'd like free hands-on help.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
E Under attack by spammers - need more than only limits returned in Exim Mail Queue on forwarder only messages Email 1
L CVE-2019-15846 Exim "A local or remote attacker can execute programs with root privileges." Email 23
N Exim dictionary attack Email 1
sahostking Exim dictionary attack to non existant domain on server Email 6
P Large amount of crute force attack on Exim Email 4
Similar threads
Under attack by spammers - need more than only limits returned in Exim Mail Queue on forwarder only messages
CVE-2019-15846 Exim "A local or remote attacker can execute programs with root privileges."
Exim dictionary attack
Exim dictionary attack to non existant domain on server
Large amount of crute force attack on Exim
Top Bottom