The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

More and more "closed by DROP in ACL" in exim logs.

Discussion in 'Security' started by jols, May 20, 2012.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I'm seeing more and more of these kinds of entries in the exim_mainlog file:

    2012-05-20 03:36:37 SMTP connection from (hxsf8pgx3x2uk) [41.136.196.2]:34124 closed by DROP in ACL
    2012-05-20 03:36:43 SMTP connection from (bxkqlnohhfh) [110.172.150.2]:42054 closed by DROP in ACL
    2012-05-20 03:37:23 SMTP connection from (windows-xp) [218.48.74.98]:42242 closed by DROP in ACL
    2012-05-20 03:37:27 SMTP connection from (dell-2e58bfb0ba) [182.182.60.148]:16332 closed by DROP in ACL
    2012-05-20 03:37:39 SMTP connection from (bubu-b74b3fbaa7) [89.137.235.17]:25125 closed by DROP in ACL
    2012-05-20 03:38:01 SMTP connection from (school-0a0b7ad4) [106.66.249.123]:3029 closed by DROP in ACL


    All of the IPs in such entries seem to be from notoriously shady sources, e.g. Iran, Korea, Russian Federation, and so on. We are seeing anywhere from 2 to 20 per minute of these "closed by DROP in ACL" log entries.

    I'm guessing that that this is Exim protecting itself from likely spam probes or something to that effect. But I am wondering if these guys are taking up POP ports with these attacks? And do you suppose it would be worth writing a script to drop these IPs in the server firewall, at least for the ones that hit the server repeatedly, i.e. for the worst offenders?

    Thanks much.
     
Loading...

Share This Page