Posible Exim change.

ReN · Aug 3, 2019

Hey guys, just wanted to see if the DA guy would adjust the exim.conf slightly due to the following.

i'm seeing alot of this kind of thing in the logs :-

2019-08-03 00:35:29 H=example.testing.com (example.localdomain) [123.123.123.123]: 535 Incorrect authentication data ([email protected])

i cant be the only one this is happening to, so if the DA gods would consider adding a condition to the exim.conf exactly like the one for ylmf-pc.

Even, if its a no , what would the condition look like. For example

deny message = HELO_BLOCKED_FOR_ABUSE
condition = ${if eq{$sender_helo_name}{\N(localhost|\.local(domain)?|\.lan)$\N}{true}{false}}

any help would be greatly appreciated.

ReN

Richard G · Aug 5, 2019

You might want to take care with that.
Because these messages are from webmail, when trying to login to webmail.
Also existing customers can have the password incorrect and try a couple of times, so you don't want to block them immediately.

This is no exim thin. You could maybe better use a csf regexp so you can block after a certain amount of invalid logins.

ReN · Aug 5, 2019

Richard G said:
You might want to take care with that.
Because these messages are from webmail, when trying to login to webmail.
Also existing customers can have the password incorrect and try a couple of times, so you don't want to block them immediately.

This is no exim thin. You could maybe better use a csf regexp so you can block after a certain amount of invalid logins.

Greetings Richard,

Ty for your responce, i realized i made an error in my original post, i'm much more concerned about the "helo" log extract as this seems to be script run much along th elines of ylmf-pc.

Richard G · Aug 6, 2019

You're welcome.
Problem is there are a lot of decent mailservers which have a correct helo and also have (localhost.localdomain) between brackets behind it.

It would be too much work to block everything by changing Exim, because they can easily change the name and start again and you have again to adjust your block in Exim. Exim is an MTA and is not really intended to block these kind of things.

We also had a block in the CSF regexp like this, maybe you can use it for your needs:

Code:

# YLMF Attacks
   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) login authenticator failed for \(ylmf-pc\) \[(\S+)\]: 535 Incorrect authentication data$
      return ("ylmf-pc Attack From ",$2,"ylmfAttack","5","25,110,995,587,465","1");
   }

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\S+\s\(ylmf-pc\) \[(\S+)\] rejected EHLO or HELO \S+/))  {
      return ("ylmf-pc Attack From ",$2,"ylmfAttack","5",,"6048000");
   }

Please check the code, I'm not 100% sure if this will work, I thought it did. Change the lines to your need.

The code in exim.conf is:

Code:

  # deny if hostname if ylmf-pc, which accounts for a HUGE percentage of BF attacks
    deny message = HELO_BLOCKED_FOR_ABUSE
         condition   = ${if eq{$sender_helo_name}{ylmf-pc}}

Which is under edit #25 of the spamblocker exim.conf. As you can see this is only reacting to helo name.

You could add them there, but they could be overwritten by an exim update, unless you have exim_conf set to nu in options.conf.
It might also be possible to create some custom exim configuration but I'm not sure about that, maybe Smtalk or Zeiter can enlight you about that.

Posible Exim change.

ReN

Verified User

Richard G

Verified User

ReN

Verified User

Richard G

Verified User