Brute force exim

N

neo-hippie

Verified User
Joined
May 27, 2014
Messages
69
Location
The Netherlands (Holland)
Hello, my exim log is filled with authentication required errors.
Code: 
2014-09-16 18:20:58 H=36-224-138-36.dynamic-ip.hinet.net (95.211.xxx.xxx) [36.224.138.36] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2014-09-16 18:20:58 H=220-141-86-79.dynamic.hinet.net (95.211.xxx..xxx) [220.141.86.79] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
i have tried to configure exim to reject everything from *.hinet.net (since it's sending from different ip's, like a whole range or something.)
which gives me this:
Code: 
2014-09-16 06:26:59 H=36-224-138-32.dynamic-ip.hinet.net [36.224.138.32] rejected connection in "connect" ACL
2014-09-16 06:27:00 H=118-166-248-151.dynamic.hinet.net [118.166.248.151] rejected connection in "connect" ACL
using this ACL:
Code: 
	drop	condition = ${if match{$sender_host_name}{\N\.dynamic\.hinet\.net\N}{true}{false}}
	drop	condition = ${if match{$sender_host_name}{\N\.dynamic-ip\.hinet\.net\N}{true}{false}}

	accept

but nothing worked. when enabling the ACL the log is filled with reject errors.
when disabling the ACL the log is filled with authentication errors (and huge per day more than 75Mb)

how to stop the attempt to relay email?
 
Hi Alex,

thanks for your (very) quick response.
i'm using fail2ban for the real brute force attacks (short bursts).

but this attempt goes on for well over a month now.

so what's the best way to let it stop?
letting it dive into the black hole using the ACL / blacklist or give it an response with wrong authentication.
and wait it out for a couple of days..
 
I'd rather use SpamBlockerTechnology* powered exim.conf, Version 4.1; RBL enabled and block subnets with iptables on a server or on a DC router:

Netname: HINET-NET
Netblock: 36.224.0.0/16

Netname: HINET-NET
Netblock: 118.166.0.0/16


or/and try this:


Code: 
  deny  message = X-Dynamic-Looking-rDNS: YES
        log_message = X-Dynamic-Looking-rDNS: We do not except emails from dynamic-looking rDNS
        condition = ${if match{$sender_host_name} \
                        {dslam|node|hinet|hinet-ip|client|adsl|dialup|pool|peer|dhcp|dsl|broadband|ppp|dynamic|cable} \
                        {yes}{no}}
        domains = +use_rbl_domains
        !authenticated = *
        delay = 60s
 
Hi Alex,

thanks for the advise.
i will look into it!
ps. i'm using the latest spamblocker exim.conf.

thank god everything is safe now. it's just the logs thats bothering me.
 
Last edited:
You must log in or register to reply here.
Back
Top