B. Cook wrote: > Our school has recently been contacted by SpamHaus b/c we are making too > /soo many queries. > > After thinking about things and looking at the offenders that keep > coming back time and time again only to be rejected.. > > I came up with a simple ratelimit in acl_check_connect: > > 190 deny > 191 ratelimit = 3 / 1m / strict > 192 message = Sorry, not fast enough for you. Try again later. > [$sender_rate/$sender_rate_period] > 193 log_message = RATE: $sender_rate/$sender_rate_period (max > $sender_rate_limit) > > > This is what its catching.. > grep RATE /var/log/exim/mainlog | cut -f3 -d\[ | cut -f1 -d\] | sort | > uniq -c | sort > > (heres the over 200 offenders..) > > 201 118.69.170.90 > 204 123.18.170.173 > 206 85.105.247.43 > 208 117.0.155.111 > 208 88.224.84.103 > 210 123.18.85.6 > 217 78.171.137.27 > 225 123.22.119.231 > 242 123.19.1.197 > 248 123.18.243.35 > 316 118.71.112.87 > > 2009-04-03 01:09:56 [85437] H=[118.71.112.87]:21151 I=[a.b.c.d]:25 > rejected connection in "connect" ACL: RATE: 199.1/1m (max 3) > > 2009-04-03 01:09:56 [1430] H=[118.71.112.87]:21153 I=[a.b.c.d]:25 > rejected connection in "connect" ACL: RATE: 199.9/1m (max 3) > > so, is there a way that I can make a ratelimit acl if your ip is found > on a dnsbl? > > does that make sense? > > Or is this acl_check_connect good enough? > >
Are you expecting them to change their behaviour? Seems to me asking Exim to 'ratelimit' a known-chronic-offender is a waste of resources. Why not capture the offending IP on first hit, add it to a DB/file, use it to reject immediate in acl_smtp_connect with lower resource load? NB: We do the same at later stages for REGEXP match on the domain.tld and/or HELO string of chronic / known-bad arrivals. For *serious* offenders - the 'born to spam' networks, we do a bit of research to see if we have *ever* had even one legit arrival, otherwise add the whole netblock to the ipfw or pf block rules. The combo makes for a major reduction in RBL callouts, and the DB/tables are easily ported to our other MTA. CAVEAT: You may want to expire entries after a reasonable time. 'Reasonable time' here being measured in years, not months... ;-) Bill -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
