Exim attack - "no IP address found for host" - causing high cpu load

nat

Well-Known Member
Jan 16, 2003
210
0
166
-------------

a few seconds in /var/log/exim_mainlog

2005-02-06 11:23:57 no IP address found for host 2835.216.255.60 (during SMTP connection from (host58-136.pool8249.interbusiness.it) [82.49.136.58])
2005-02-06 11:23:57 no IP address found for host 2835.216.255.60 (during SMTP connection from (0x50a141c8.boanxx14.adsl-dhcp.tele.dk) [80.161.65.200])
2005-02-06 11:23:58 no IP address found for host 2835.216.255.60 (during SMTP connection from (word.it) [220.81.103.208])
2005-02-06 11:23:59 no IP address found for host 2835.216.255.60 (during SMTP connection from h0040d00b712b.ne.client2.attbi.com [66.30.87.143])
2005-02-06 11:24:00 no IP address found for host 2835.216.255.60 (during SMTP connection from (69.72.194.186) [220.84.194.27])
2005-02-06 11:24:00 no IP address found for host 2835.216.255.60 (during SMTP connection from ppp-61.90.27.32.revip.asianet.co.th [61.90.27.32])
2005-02-06 11:24:01 no IP address found for host 2835.216.255.60 (during SMTP connection from (mail.biglaketransport.com) [65.69.37.250])
2005-02-06 11:24:02 no IP address found for host 2835.216.255.60 (during SMTP connection from (pcp01102026pcs.pntiac01.mi.comcast.net) [68.61.236.68])

-------------

CPU usage over 24 hour time period.

mailnull 87.97 4.36 0.0
Top Process %CPU 91.5 /usr/sbin/exim -bd -q60m
Top Process %CPU 91.0 /usr/sbin/exim -bd -q60m
Top Process %CPU 79.8 /usr/sbin/exim -bd -q60m

There are only 82 e-mails in queue and have deleted them.

-------------


1. I have already setup the dictionary attack acl. http://www.configserver.com/free/eximdeny.html

1b. Since the dictionary attack acl does not catch this, i did this to add the ips to /etc/exim_deny:

tail -f /var/log/exim_mainlog | grep --line-buffered "no IP address found for host" | grep --line-buffered -P "\d+\.\d+\.\d+\.\d+" -o >> /etc/exim_deny &

2. I also use the following RBL's:

dnslists = brazil.blackholes.us : \
malaysia.blackholes.us : \
china.blackholes.us : \
sbl-xbl.spamhaus.org : \
bl.spamcop.net : \
relays.ordb.org : \
cbl.abuseat.org : \
blackholes.mail-abuse.org : \
spam.dnsrbl.net : \
opm.blitzed.org

3. I have also removed the rbl's and dictional attack acl from exim to see if that help. (it didn't so I added them back and they are working)

My load has exceeded 40.


Any ideas?
 
Last edited:

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
31
473
Go on, have a guess
That's pretty odd. Do you have any added EHLO/HELO checking in your ACL's in exim.conf?

I'm wondering if the domain name 2835.216.255.60 is confusing exim because it thinks it is an IP address (which of course it isn't).

It might be possible to use the following before where you would have put the dictionary attack ACL:

Code:
 deny message = Rejected
         hosts = 2835.216.255.60

 deny message = Rejected
         domains = 2835.216.255.60
Might need tweaking. Feel free to PM me if you'd like free hands-on help.