How do I stop a box from getting flooded with emails? (I tried :blackhole:)

[AbeFroman]

How do I stop a box from getting flooded with emails?

I have a domain that has received over 18,000 emails in an hour.

What is the easiest way to stop these emails from coming in? They are getting stuck in the mail queue and increasing /var exponentially.

 

[casey]

http://linux.cvf.net/cp_eximrules.html

 

[AbeFroman]

Thanks, but it doesn't seem to be blocking the dictionary attack, got any tips:
[email protected] [/var/log]# tail -f exim_mainlog | grep unitedamericans\.com
2004-08-02 11:29:00 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:00 H=ns.sprint-v.com.ru [81.22.0.3] F=<> rejected RCPT <[email protected]>: ns.sprint-v.com.ru [81.22.0.3] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:00 H=hunter.resume-bank.ru (resume-bank.ru) [62.118.252.51] F=<> rejected RCPT <[email protected]>: hunter.resume-bank.ru (resume-bank.ru) [62.118.252.51] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:01 H=ns.sprint-v.com.ru [81.22.0.3] F=<> rejected RCPT <[email protected]>: ns.sprint-v.com.ru [81.22.0.3] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:01 H=he104war.uk.vianw.net [195.102.244.135] F=<> rejected RCPT <[email protected]>: he104war.uk.vianw.net [195.102.244.135] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:01 H=ns2.caravan.ru [217.23.142.1] F=<> rejected RCPT <[email protected]>: ns2.caravan.ru [217.23.142.1] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:02 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:04 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:05 H=smtp2.easydns.com (rack5.easydns.com) [205.210.42.53] F=<> rejected RCPT <[email protected]>: smtp2.easydns.com (rack5.easydns.com) [205.210.42.53] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:05 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:09 H=voip.solaris.ru [194.85.25.5] F=<> rejected RCPT <[email protected]>: voip.solaris.ru [194.85.25.5] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:09 H=uven.ru [62.76.35.173] F=<> rejected RCPT <[email protected]>: uven.ru [62.76.35.173] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:10 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:10 H=mx1.pol.ru (pol.ru) [217.23.130.3] F=<> rejected RCPT <[email protected]>: mx1.pol.ru (pol.ru) [217.23.130.3] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:10 H=(mona.myownemail.com) [65.198.177.209] F=<> rejected RCPT <[email protected]>: (mona.myownemail.com) [65.198.177.209] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:10 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
2004-08-02 11:29:11 H=(namip.ru) [195.230.75.130] F=<> rejected RCPT <[email protected]>: (namip.ru) [195.230.75.130] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.

 

[AbeFroman]

What should the default email be set to to get this to work?
username ?
:fail: ?
:blackhole: ?

 

[chirpy]

What you've posted are attempts to relay through your server, not deliver to it. Exim is working correctlky and telling the sender that they haven't been authorised to realy. There's nothing more you can do, except block their IP address in your firewall.

 

[AbeFroman]

Now I am getting the following what does the ** mean? How do i get it to show "Dictionnary attack (x failed probes). Dropping connection!" like it says on http://linux.cvf.net/cp_eximrules.html:
2004-08-02 11:54:06 1BrdWq-0004nX-ER ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1Brfry-0006c9-Rt ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1BrdX4-0005VH-5p ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1BrdWo-0004nX-V7 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1BrdWr-0004nX-Tb ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1BrdWm-0004nX-SE ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1BrdWm-0005GX-9u ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 1BrdWj-0004nX-C2 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:06 H=(nti-msx1.NetTechInc.net) [64.122.3.58] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:07 1BrdWi-0005GX-1f ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdWg-0004nX-Vc ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdWf-0004nX-Mn ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdWa-0004nX-UT ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdWc-0004nX-QG ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdWZ-0004nX-Vq ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 H=(cgp.dol.ru) [194.87.5.78] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:07 H=(summer.cbr.ryazan.su) [212.26.227.30] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:07 1BrdWX-0004nX-Kb ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdgB-0007x6-Mf ** [email protected] R=virtual_aliases:
2004-08-02 11:54:07 1BrdWW-0004nX-BY ** [email protected] R=virtual_aliases:
2004-08-02 11:54:08 H=(rocket.naverex.net) [213.169.64.107] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:08 1BrdWV-0004nX-HB ** [email protected] R=virtual_aliases:
2004-08-02 11:54:08 1BrdWR-0004nX-V3 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:08 1BrdgQ-0000CM-7M ** [email protected] R=virtual_aliases:
2004-08-02 11:54:08 1BrdWR-0004nX-Cp ** [email protected] R=virtual_aliases:
2004-08-02 11:54:08 1BrdWO-0004nX-Ef ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 H=(cgp.dol.ru) [194.87.5.78] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:09 1BrdWP-0004nX-VW ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 H=(ice.kirov.ru) [217.9.147.42] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:09 1BrdWP-0004nX-Hf ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1Brdg9-0007x6-MF ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 H=(amber.rsu.ru) [195.208.252.10] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:09 1BrdgD-0007x6-Q7 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1Brdg1-0007x6-Ev ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1BrdgG-0000CM-Cz ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1BrdWG-0004yc-Ne ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1BrdWG-000573-21 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1BrdWK-0004yc-9n ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1Brdg8-00008Y-Q6 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 H=(aaa09.gavs.ru) [212.45.13.107] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:09 1BrdWF-00058r-Az ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1Brdg8-0007x6-Du ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1BrdWC-0004nX-Q5 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1BrdWD-0004nX-K2 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:09 1Brdfy-0007x6-RO ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1Brdfx-0007x6-Cz ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 H=(ice.kirov.ru) [217.9.147.42] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:10 1BrdWB-0004nX-3b ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1Brdg3-0007x6-E3 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1BrdW9-0004nX-Eh ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1Brdfv-0007x6-6V ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1Brdfq-0007x6-9E ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1Brdg0-0007x6-5o ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1BrdW3-0004nX-Uk ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 H=(mx.nsu.ru) [212.192.164.5] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:10 1Brdft-0007x6-84 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1BrdW2-0004nX-Aw ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1BrdVx-0004nX-VO ** [email protected] R=virtual_aliases:
2004-08-02 11:54:10 1Brdfm-0007x6-5f ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1Brdfk-0007x6-Pk ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1BrdVu-0004nX-Tl ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1Brdfn-0007x6-Dt ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1BrdVv-0004nX-Cu ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1BrdfX-0007x6-JU ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1BrdVs-0004nX-PH ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 H=(twin1.cbr.ru) [212.40.192.42] F=<> rejected RCPT <[email protected]>:
2004-08-02 11:54:11 1BrdVs-0004nX-Dc ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1BrdVq-0004nX-FK ** [email protected] R=virtual_aliases:
2004-08-02 11:54:11 1BrdVo-0004zy-U1 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:12 1Brdec-00080E-IC ** [email protected] R=virtual_aliases:
2004-08-02 11:54:12 1BrdeZ-00080E-Qj ** [email protected] R=virtual_aliases:
2004-08-02 11:54:12 1BrdVl-0004nX-6n ** [email protected] R=virtual_aliases:
2004-08-02 11:54:12 1Brdeg-00080E-4X ** [email protected] R=virtual_aliases:
2004-08-02 11:54:12 1BrdVh-0004nX-U8 ** [email protected] R=virtual_aliases:
2004-08-02 11:54:12 H=(ice.kirov.ru) [217.9.147.42] F=<> rejected RCPT <[email protected]>:

 

[AbeFroman]

Is it support to be writing to hostrejectrcpt, those files arent changing
[email protected] [/etc/exim/acls]# ll
total 20
drwxr-xr-x 2 root root 4096 Aug 2 11:49 ./
drwxr-xr-x 3 root root 4096 Aug 2 11:05 ../
-rw-r--r-- 1 root root 295 Aug 2 11:51 denyenvsenders
-rw-r--r-- 1 root root 81 Aug 2 11:53 destwhitelist
-rw-r--r-- 1 root root 588 Aug 2 11:53 hostrejectrcpt

 

[dgbaker]

http://linux.cvf.net/cp_eximrules.html

Has this worked for you? We have it as well but it never seemed to have worked.

 

[AbeFroman]

It seem like this line is the one that is suppose to stop it....
# How many bad receipients must fail before we drop the connection?
# Leave it at default 3 unless you have a very good reason to change it.
ALLOWEDRCPTFAIL=3
but
I dont see where it writes ips to block to this file:
/etc/exim/acls/hostrejectrcpt

Got any tips? Or do you know of another way to block such an attack?

 

[casey]

Has this worked for you? We have it as well but it never seemed to have worked.

Yes, it's working great for me and blocking dictionary attacks left and right.

 

[casey]

Is it support to be writing to hostrejectrcpt, those files arent changing
[email protected] [/etc/exim/acls]# ll
total 20
drwxr-xr-x 2 root root 4096 Aug 2 11:49 ./
drwxr-xr-x 3 root root 4096 Aug 2 11:05 ../
-rw-r--r-- 1 root root 295 Aug 2 11:51 denyenvsenders
-rw-r--r-- 1 root root 81 Aug 2 11:53 destwhitelist
-rw-r--r-- 1 root root 588 Aug 2 11:53 hostrejectrcpt

You put what you want in there manually.

 

[AbeFroman]

Casey, where does it put the IP's it blocks in the dictionary attack?

Got any tips for us?

What does the default address have to be set as?

Are you running Exim 4.34?

Would you be so kind as to post a copy of your /etc/exim.conf file here?