How do I stop a box from getting flooded with emails? (I tried :blackhole:)

AbeFroman

BANNED
Feb 16, 2002
644
1
318
How do I stop a box from getting flooded with emails?

I have a domain that has received over 18,000 emails in an hour.

What is the easiest way to stop these emails from coming in? They are getting stuck in the mail queue and increasing /var exponentially.
 

AbeFroman

BANNED
Feb 16, 2002
644
1
318
Thanks, but it doesn't seem to be blocking the dictionary attack, got any tips:
[email protected] [/var/log]# tail -f exim_mainlog | grep unitedamericans\.com
2004-08-02 11:29:00 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:00 H=ns.sprint-v.com.ru [81.22.0.3] F=<> rejected RCPT <[email protected]>: ns.sprint-v.com.ru [81.22.0.3] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:00 H=hunter.resume-bank.ru (resume-bank.ru) [62.118.252.51] F=<> rejected RCPT <[email protected]>: hunter.resume-bank.ru (resume-bank.ru) [62.118.252.51] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:01 H=ns.sprint-v.com.ru [81.22.0.3] F=<> rejected RCPT <[email protected]>: ns.sprint-v.com.ru [81.22.0.3] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:01 H=he104war.uk.vianw.net [195.102.244.135] F=<> rejected RCPT <[email protected]>: he104war.uk.vianw.net [195.102.244.135] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:01 H=ns2.caravan.ru [217.23.142.1] F=<> rejected RCPT <[email protected]s.com>: ns2.caravan.ru [217.23.142.1] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:02 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:04 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:05 H=smtp2.easydns.com (rack5.easydns.com) [205.210.42.53] F=<> rejected RCPT <[email protected]>: smtp2.easydns.com (rack5.easydns.com) [205.210.42.53] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:05 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:09 H=voip.solaris.ru [194.85.25.5] F=<> rejected RCPT <[email protected]>: voip.solaris.ru [194.85.25.5] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:09 H=uven.ru [62.76.35.173] F=<> rejected RCPT <[email protected]>: uven.ru [62.76.35.173] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:10 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:10 H=mx1.pol.ru (pol.ru) [217.23.130.3] F=<> rejected RCPT <[email protected]>: mx1.pol.ru (pol.ru) [217.23.130.3] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:10 H=(mona.myownemail.com) [65.198.177.209] F=<> rejected RCPT <[email protected]>: (mona.myownemail.com) [65.198.177.209] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:10 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:11 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
 

AbeFroman

BANNED
Feb 16, 2002
644
1
318
What should the default email be set to to get this to work?
username ?
:fail: ?
:blackhole: ?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
32
473
Go on, have a guess
What you've posted are attempts to relay through your server, not deliver to it. Exim is working correctlky and telling the sender that they haven't been authorised to realy. There's nothing more you can do, except block their IP address in your firewall.
 

AbeFroman

BANNED
Feb 16, 2002
644
1
318
Now I am getting the following what does the ** mean? How do i get it to show "Dictionnary attack (x failed probes). Dropping connection!" like it says on http://linux.cvf.net/cp_eximrules.html:
2004-08-02 11:54:06 1BrdWq-0004nX-ER ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1Brfry-0006c9-Rt ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1BrdX4-0005VH-5p ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1BrdWo-0004nX-V7 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1BrdWr-0004nX-Tb ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1BrdWm-0004nX-SE ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1BrdWm-0005GX-9u ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1BrdWj-0004nX-C2 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 H=(nti-msx1.NetTechInc.net) [64.122.3.58] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:07 1BrdWi-0005GX-1f ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdWg-0004nX-Vc ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdWf-0004nX-Mn ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdWa-0004nX-UT ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdWc-0004nX-QG ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdWZ-0004nX-Vq ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 H=(cgp.dol.ru) [194.87.5.78] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:07 H=(summer.cbr.ryazan.su) [212.26.227.30] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:07 1BrdWX-0004nX-Kb ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdgB-0007x6-Mf ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdWW-0004nX-BY ** [email protected] R=virtual_aliases:
2004-08-02 11:54:08 H=(rocket.naverex.net) [213.169.64.107] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:08 1BrdWV-0004nX-HB ** [email protected] R=virtual_aliases:
2004-08-02 11:54:08 1BrdWR-0004nX-V3 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:08 1BrdgQ-0000CM-7M ** [email protected] R=virtual_aliases:
2004-08-02 11:54:08 1BrdWR-0004nX-Cp ** [email protected] R=virtual_aliases:
2004-08-02 11:54:08 1BrdWO-0004nX-Ef ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 H=(cgp.dol.ru) [194.87.5.78] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:09 1BrdWP-0004nX-VW ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 H=(ice.kirov.ru) [217.9.147.42] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:09 1BrdWP-0004nX-Hf ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1Brdg9-0007x6-MF ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 H=(amber.rsu.ru) [195.208.252.10] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:09 1BrdgD-0007x6-Q7 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1Brdg1-0007x6-Ev ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1BrdgG-0000CM-Cz ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1BrdWG-0004yc-Ne ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1BrdWG-000573-21 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1BrdWK-0004yc-9n ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1Brdg8-00008Y-Q6 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 H=(aaa09.gavs.ru) [212.45.13.107] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:09 1BrdWF-00058r-Az ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1Brdg8-0007x6-Du ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1BrdWC-0004nX-Q5 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1BrdWD-0004nX-K2 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1Brdfy-0007x6-RO ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1Brdfx-0007x6-Cz ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 H=(ice.kirov.ru) [217.9.147.42] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:10 1BrdWB-0004nX-3b ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1Brdg3-0007x6-E3 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1BrdW9-0004nX-Eh ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1Brdfv-0007x6-6V ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1Brdfq-0007x6-9E ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1Brdg0-0007x6-5o ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1BrdW3-0004nX-Uk ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 H=(mx.nsu.ru) [212.192.164.5] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:10 1Brdft-0007x6-84 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1BrdW2-0004nX-Aw ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1BrdVx-0004nX-VO ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1Brdfm-0007x6-5f ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1Brdfk-0007x6-Pk ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1BrdVu-0004nX-Tl ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1Brdfn-0007x6-Dt ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1BrdVv-0004nX-Cu ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1BrdfX-0007x6-JU ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1BrdVs-0004nX-PH ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 H=(twin1.cbr.ru) [212.40.192.42] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:11 1BrdVs-0004nX-Dc ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1BrdVq-0004nX-FK ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1BrdVo-0004zy-U1 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:12 1Brdec-00080E-IC ** [email protected] R=virtual_aliases:
2004-08-02 11:54:12 1BrdeZ-00080E-Qj ** [email protected] R=virtual_aliases:
2004-08-02 11:54:12 1BrdVl-0004nX-6n ** [email protected] R=virtual_aliases:
2004-08-02 11:54:12 1Brdeg-00080E-4X ** [email protected] R=virtual_aliases:
2004-08-02 11:54:12 1BrdVh-0004nX-U8 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:12 H=(ice.kirov.ru) [217.9.147.42] F=<> rejected RCPT <[email protected]>:
 

AbeFroman

BANNED
Feb 16, 2002
644
1
318
Is it support to be writing to hostrejectrcpt, those files arent changing
[email protected] [/etc/exim/acls]# ll
total 20
drwxr-xr-x 2 root root 4096 Aug 2 11:49 ./
drwxr-xr-x 3 root root 4096 Aug 2 11:05 ../
-rw-r--r-- 1 root root 295 Aug 2 11:51 denyenvsenders
-rw-r--r-- 1 root root 81 Aug 2 11:53 destwhitelist
-rw-r--r-- 1 root root 588 Aug 2 11:53 hostrejectrcpt
 

AbeFroman

BANNED
Feb 16, 2002
644
1
318
It seem like this line is the one that is suppose to stop it....
# How many bad receipients must fail before we drop the connection?
# Leave it at default 3 unless you have a very good reason to change it.
ALLOWEDRCPTFAIL=3
but
I dont see where it writes ips to block to this file:
/etc/exim/acls/hostrejectrcpt

Got any tips? Or do you know of another way to block such an attack?
 

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
dgbaker said:
Has this worked for you? We have it as well but it never seemed to have worked.
Yes, it's working great for me and blocking dictionary attacks left and right.
 

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
AbeFroman said:
Is it support to be writing to hostrejectrcpt, those files arent changing
[email protected] [/etc/exim/acls]# ll
total 20
drwxr-xr-x 2 root root 4096 Aug 2 11:49 ./
drwxr-xr-x 3 root root 4096 Aug 2 11:05 ../
-rw-r--r-- 1 root root 295 Aug 2 11:51 denyenvsenders
-rw-r--r-- 1 root root 81 Aug 2 11:53 destwhitelist
-rw-r--r-- 1 root root 588 Aug 2 11:53 hostrejectrcpt
You put what you want in there manually.
 

AbeFroman

BANNED
Feb 16, 2002
644
1
318
Casey, where does it put the IP's it blocks in the dictionary attack?

Got any tips for us?

What does the default address have to be set as?

Are you running Exim 4.34?

Would you be so kind as to post a copy of your /etc/exim.conf file here?