BlockCracking to be used in spamblocker exim.conf?

DA-Rff

Verified User
Joined
Dec 4, 2006
Messages
119
I just looked at: https://github.com/Exim/exim/wiki/BlockCracking and was wondering if this could be added to the latest spamblocker exim.conf file and if so where to put it.

Code:
accept authenticated = *
        set acl_m_user = $authenticated_id
        condition = ${if exists{$spool_directory/blocked_authenticated_users}}
        condition = ${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_authenticated_users}{1}{0}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Authenticated-As: $acl_m_user

  accept authenticated = *
        !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
        ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_authenticated_users; \
           \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
           has sent mail to LIM invalid recipients during PERIOD.; \
           \N}\N | $exim_path -f root WARNTO"}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Authenticated-As: $acl_m_user

  accept authenticated = *
        control = submission/domain=

and:

Code:
accept hosts = !@[] : +relay_from_hosts
        set acl_m_user = $sender_host_address
                         # or username from RADIUS
        condition = ${if exists{$spool_directory/blocked_relay_users}}
        condition = ${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_relay_users}{1}{0}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Relayed-From: $acl_m_user

  accept hosts = !@[] : +relay_from_hosts
        !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
        ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_relay_users; \
           \N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
           because has sent mail to LIM invalid recipients during PERIOD.; \
           \N}\N | $exim_path -f root WARNTO"}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Relayed-From: $acl_m_user

  accept hosts = +relay_from_hosts
        control = submission/domain=

and:

Code:
acl_smtp_connect = acl_check_connect
acl_smtp_auth = acl_check_auth
acl_smtp_mail = acl_check_mail
acl_smtp_quit = acl_check_quit
acl_smtp_notquit = acl_check_notquit
LIM = 100
PERIOD = 1h
WARNTO = [email protected]
SHELL = /bin/sh

Code:
acl_check_auth:
  drop  message = authentication is allowed only once per message in order \
                  to slow down bruteforce cracking
        set acl_m_auth = ${eval10:0$acl_m_auth+1}
        condition = ${if >{$acl_m_auth}{2}}
        delay = 22s

  drop  message = blacklisted for bruteforce cracking attempt
        set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
        condition = ${if >{$acl_c_authnomail}{4}}
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N echo Subject: $sender_host_address blocked; echo; echo \
           for bruteforce auth cracking attempt.; \
           \N}\N | $exim_path -f root WARNTO"}}

  accept set acl_c_authhash = ${if match{$smtp_command_argument}\
                  {\N(?i)^(?:plain|login) (.+)$\N}{${nhash_1000:$1}}}

acl_check_quit:
  warn  condition = $authentication_failed
        condition = ${if def:acl_c_authhash}
        ratelimit = 0 / 5m / strict / $sender_host_address-$acl_c_authhash
        set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}}

  warn  condition = $authentication_failed
        logwrite = :reject: quit after authentication failed: \
                            ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
        ratelimit = 7 / 5m / strict / per_conn
        condition = ${if or{\
                            {!def:acl_c_authhash}\
                            {<{$acl_c_hashrate}{2}}\
                           }}
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N echo Subject: $sender_host_address blocked; echo; echo \
           for bruteforce auth cracking attempt.; \
           \N}\N | $exim_path -f root WARNTO"}}

acl_check_notquit:
  warn  condition = $authentication_failed
        condition = ${if def:acl_c_authhash}
        ratelimit = 0 / 5m / strict / $sender_host_address-$acl_c_authhash
        set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}}

  warn  condition = $authentication_failed
        logwrite = :reject: $smtp_notquit_reason after authentication failed: \
                            ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
        condition = ${if eq{$smtp_notquit_reason}{connection-lost}}
        ratelimit = 7 / 5m / strict / per_conn
        condition = ${if or{\
                            {!def:acl_c_authhash}\
                            {<{$acl_c_hashrate}{2}}\
                           }}
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N echo Subject: $sender_host_address blocked; echo; echo \
           for bruteforce auth cracking attempt.; \
           \N}\N | $exim_path -f root WARNTO"}}

acl_check_mail:
  accept set acl_c_authnomail = 0

acl_check_connect:
  drop  message = $sender_host_address locally blacklisted for a bruteforce \
                  auth (username+password) cracking attempt
        condition = ${if exists{$spool_directory/blocked_IPs}}
        condition = ${lookup{$sender_host_address}lsearch\
                    {$spool_directory/blocked_IPs}{1}{0}}

  accept

hash:
  accept set acl_c_authhash = ${nhash_1000:$acl_arg1}
 
I'm likely not going to make any major changes to SpamBlocker into the future. I'm going to work with John at DirectAdmin to merge my current file with his current file (a bit harder than you'd expect since his file is now created on the fly through SpamBlocker) and then he and I can work together on adding new features as appropriate.

So hopefully John will take a look at this code.

However, I do suggest you tell us more about BlockCrackng rather than just tell us the code to add it. Hopefully none of us add code and complexity to our servers simply because we can :).

What does it do? Why should we add it? Links to some information will be helpful.

Jeff
 
Hi Jeff,

I found the following info about blockcracking on: https://github.com/Exim/exim/wiki/BlockCracking

Blocking compromised accounts and auth cracking

Nowadays users' passwords often are stolen (with drive-by exploits, Windows malware, phishing) and used for spamming. Spam sent with authentication via your server causes it to be blacklisted without notice and sometimes no appeal. Simple rate limiting authenticated users constrains honest users while still allowing spam to trickle through, your server still ends up in blacklists. Each server needs automatic detection and blocking of compromised accounts (stolen passwords). I amended and implemented (for Exim version 4.67 or higher) Andrew Hearn's idea to check not rate of messages or all recipients, but rate of attempts to send to nonexistent recipient email addresses. Vast majority of spammers never try to validate every recipient address. Spammers harvest strings looking like email addresses from webpages and disks of trojaned Windowses, then sell huge lists of email addresses to each other. These lists contain very much email addresses which don't exist anymore or never existed: Message-Ids, corrupted strings in memory and files. In short, spammers' lists of email addresses are much dirtier than lists honest users send to. Honest users are very unlikely to attempt to send to 100 nonexistent email addresses in one hour. Below I explain in detail (for novices at Exim) what to change in Exim config for automatic blocking of compromised and spammers' accounts, with automatic email notification to sysadmin or your abuse or support staff.

This code also blocks brute force password cracking via SMTP (it's not as important but a little useful).

SO it is all about adding an extra safety layer around exim, I posted here because I am definitely NOT an expert and was just wondering if this is worthwhile and if so, how to go about it.

Thanks.
 
I haven't taken the time to study the code; the concept looks interesting.

You can likely tell a lot at the site from where you got the code; they should offer y ou a sample exim.conf file which would help you place the code.

Since you may be using one of several available copies of the exim.conf code (there have even been changes withing SpamBlocker 4) I'm not going to take the time today to see if I can figure it out. Hopefully John will look at it and let us know what he thinks about adding it.

Or perhaps someone else who's added it will post and give us the quick and easy :).

Jeff
 
Thanks Jeff,

Now that is what I would like as well:

Or perhaps someone else who's added it will post and give us the quick and easy

tnx
 
That's an interesting article, although I'm not sure we'd be adding it to the exim.conf at this time.
We do offer regular rate limiting on a per-Email basis with this guide:
http://help.directadmin.com/item.php?id=514

which would be a simple alternative that's already implemented, and doesn't add any complexity to the current exim.conf.
Note, that version 16 of the exim.pl is available.

John
 
Back
Top