[exim] Handling unadvertised AUTH

Fri, 29 Apr 2016 15:39:47 -0700 

Hello all,
MY exim server does not support ANY net-facing logins at all, and AUTH is not advertised. Yet, I am getting increasing numbers of AUTH attempts. I am looking for the best way to block IPs that attempt (have attempted) AUTH. 


I am not concerned about site penetration because Exim automatically 
rejects all the AUTH attempts with "503 AUTH command used when not 
advertised".  However, there are clients (almost all with Chinese IPs) 
that are generating AUTH attempts at a rate exceeding 10 per second, in 
blasts of several minutes. This, despite sending EHLO, to which my 
server responds with a very short list:

250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP

(Some guys just can't accept no!)


The result of all these useless attempts is log pollution and wasted 
resources at best, and perhaps something akin to DOS if it keeps 
increasing. (It started out a with an attempt by a random IP every 5 
minutes, but lately seems to worsen daily.)



I suppose I could eliminate almost all of this by simply refusing 
connection to any Chinese IP based on a filter file. I copied a CIDR 
list in iplsearch acceptable format from a web site, but it contains 
4226 entries! (http://www.okean.com/chinacidr.txt)
However, this filter would probably be a worse resource drain than the 
current dropped connections. (Not sure how efficient exim's search of 
such a filter is)



My main idea now is to refuse connection using a much smaller 
self-maintained filter file that contains a list of IPs of "known bad 
actors". Where I am stymied on that is knowing how to add entries to the 
filter file inside exim, at the time AUTH is attempted (or perhaps other 
objectionable activity). I presume a custom logging file would not work 
because it would always be open while exim is running, so could not be 
opened for filtering.


Any help appreciated (including better ideas).

Phil Carroll

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/





















					Reply via email to