W B Hacker wrote: > B. Cook wrote: >> Our school has recently been contacted by SpamHaus b/c we are making too >> /soo many queries. >> >> After thinking about things and looking at the offenders that keep >> coming back time and time again only to be rejected.. >> >> I came up with a simple ratelimit in acl_check_connect: >> >> 190 deny >> 191 ratelimit = 3 / 1m / strict >> 192 message = Sorry, not fast enough for you. Try again later. >> [$sender_rate/$sender_rate_period] >> 193 log_message = RATE: $sender_rate/$sender_rate_period (max >> $sender_rate_limit) >> >> >> This is what its catching.. >> grep RATE /var/log/exim/mainlog | cut -f3 -d\[ | cut -f1 -d\] | sort | >> uniq -c | sort >> >> (heres the over 200 offenders..) >> >> 201 118.69.170.90 >> 204 123.18.170.173 >> 206 85.105.247.43 >> 208 117.0.155.111 >> 208 88.224.84.103 >> 210 123.18.85.6 >> 217 78.171.137.27 >> 225 123.22.119.231 >> 242 123.19.1.197 >> 248 123.18.243.35 >> 316 118.71.112.87 >> >> 2009-04-03 01:09:56 [85437] H=[118.71.112.87]:21151 I=[a.b.c.d]:25 >> rejected connection in "connect" ACL: RATE: 199.1/1m (max 3) >> >> 2009-04-03 01:09:56 [1430] H=[118.71.112.87]:21153 I=[a.b.c.d]:25 >> rejected connection in "connect" ACL: RATE: 199.9/1m (max 3) >> >> so, is there a way that I can make a ratelimit acl if your ip is found >> on a dnsbl? >> >> does that make sense? >> >> Or is this acl_check_connect good enough? >> >> > > Are you expecting them to change their behaviour? > > Seems to me asking Exim to 'ratelimit' a known-chronic-offender is a > waste of resources. > > Why not capture the offending IP on first hit, add it to a DB/file, use > it to reject immediate in acl_smtp_connect with lower resource load? > > NB: We do the same at later stages for REGEXP match on the domain.tld > and/or HELO string of chronic / known-bad arrivals. > > For *serious* offenders - the 'born to spam' networks, we do a bit of > research to see if we have *ever* had even one legit arrival, otherwise > add the whole netblock to the ipfw or pf block rules. > > The combo makes for a major reduction in RBL callouts, and the DB/tables > are easily ported to our other MTA. > > CAVEAT: You may want to expire entries after a reasonable time. > 'Reasonable time' here being measured in years, not months... > > ;-) > > Bill > > > >
Yes that would be ideal, Is there a way to get exim to add something to spamdb and/or pf block list until spamdb can be rebuilt.. How can I make exim "do something" (outside of exim) when "something happens" (inside exim)? I didn't think that was possible w/ exim.. but it sounds like you are speaking as if you are doing it/have done it. :) -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
