Blocked email due to dictionary scan?

It looks like SpamBlocker identified it incorrectly as a dictionary attack and then added it to /etc/exim_deny. I removed the offending IP and restarted exim and it seems to have fixed it.

My concern now is that SB will add it again. Is there a whitelist file for SB? I'm using SpamBlocker.exim.conf.2.0-release
 
It's here:
deny message = Blocked because your address $sender_host_address is being seen as issuing a dictionary attack.
hosts = /etc/exim_deny
!hosts = +relay_hosts
!authenticated = *
delay = 150s
log_message = Blocked $sender_host_address because of possible dictionary scan.

deny message = Max $rcpt_fail_count failed recipients allowed
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
condition = ${run{/usr/local/bin/exim_dict_stop.pl $sender_host_address}{1}{1}}
!hosts = +relay_hosts
delay = ${eval: ($rcpt_fail_count) * 30}s
log_message = Dictionary scan! $sender_host_address had $rcpt_fail_count failed recipient attempts
Click to expand...

I'm running an older version of SB, so that's probably why you're not seeing it. I'll upgrade some day when I get brave enough and can spend a couple hours troubleshooting it.

I figured out what triggered the block. The client was previously using an external Exchange server for email. He decided to switch to our server for email, and when he did, exim was inundated with emails with invalid recipients (from accounts that were no longer needed). Since many of them came from distibution-type lists, the flood triggered a dictionary attack response from exim, and the offending ip was added to exim_deny.

I also updated the fail count above to {9} instead of {3} to provide more leniency before triggering a dictionary attack.
 
I don't believe any of my exim.conf file reports to exim_deny; we use more dynamic systems and more specific blocklists. Please feel free to post the top few lines of your exim.conf file (the ones that show the version number), and the code that reports to exim_deny, so I can help figure this out.

Jeff
 
jlasman said:
I don't believe any of my exim.conf file reports to exim_deny; we use more dynamic systems and more specific blocklists. Please feel free to post the top few lines of your exim.conf file (the ones that show the version number), and the code that reports to exim_deny, so I can help figure this out.

Jeff
Click to expand...

Jeff - Here you go. This wasn't installed by me. I guess it is possible that it is a modified version of one of your earlier versions. I'm not sure what additional code you need other than what I posted above. I can certainly PM the entire thing to you if your interested. Thanks man!

Code: 
######################################################################
#                 SpamBlocker.exim.conf.2.0-release                  #
#   Runtime configuration file for DirectAdmin/Exim 4.24 and above   #
######### IMPORTANT ########## IMPORTANT ########## IMPORTANT ########
# WARNING! Be sure to back up your previous exim.conf file before    #
# attempting to use this exim.conf file.                             #
#                                                                    #
# Do may not use this exim.conf Exim configuration file unless you   #
# make the required modifications to your Exim configuration         #
# following the instructions in the README file included in this     #
# distribution.                                                      #
#                                                                    #
# This is version "2.0 of the SpamBlocker exim.conf file as          #
# distributed by NoBaloney Internet Services for DirectAdmin based   #
# servers.                                                           #
#                                                                    #
# More information about NoBaloney.net may be found at:              #
#  http://www.nobaloney.net/                                         #
#                                                                    #
# More information about DirectAdmin may be found at:                #
#  http://www.directadmin.com/                                       #
#                                                                    #
# This Exim configuration file has been modified from the original   #
# as distributed with Exim 4.  The modifications have been made by:  #
#                                                                    #
# Jeff Lasman                                                        #
# NoBaloney Internet Services                                        #
 
If there's any line in the code that includes exim_deny, then post it with the five lines above it and the five lines below it.
Code: 
$ cd /etc
grep -n -A 5 -B 5 exim_deny exim.conf
Post the output of the above.

Jeff
 
jlasman said:
If there's any line in the code that includes exim_deny, then post it with the five lines above it and the five lines
Click to expand...

It's the same as I posted above:

Code: 
# OPTIONAL MODIFICATIONS:
# If the page you're using to notify senders of blocked email of how
# to get their address unblocked will use a web form to send you email so
# you'll know to unblock those senders, then you may leave these lines
# commented out.  However, if you'll be telling your senders of blocked
# email to send an email to [email protected], then you should
# replace "errors" with the left side of the email address you'll be
# using, and "example.com" with the right side of the email address and
# then uncomment the second two lines, leaving the first one commented.
# Doing this will mean anyone can send email to this specific address,
# even if they're at a blocked domain, and even if your domain is using
# blocklists.
# OPTIONAL MODIFICATIONS:

deny message = Blocked because your address $sender_host_address is being seen as issuing a dictionary attack.
hosts = /etc/exim_deny
!hosts = +relay_hosts
!authenticated = *
delay = 150s
log_message = Blocked $sender_host_address because of possible dictionary scan.

deny message = Max $rcpt_fail_count failed recipients allowed
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
condition = ${run{/usr/local/bin/exim_dict_stop.pl $sender_host_address}{1}{1}}
!hosts = +relay_hosts
delay = ${eval: ($rcpt_fail_count) * 30}s
log_message = Dictionary scan! $sender_host_address had $rcpt_fail_count failed recipient attempts

jlasman said:
Code: 
$ cd /etc
grep -n -A 5 -B 5 exim_deny exim.conf
Post the output of the above.
Click to expand...
Code: 
371-# even if they're at a blocked domain, and even if your domain is using
372-# blocklists.
373-# OPTIONAL MODIFICATIONS:
374-
375-deny message = Blocked because your address $sender_host_address is being seen as issuing a dictionary attack.
376:hosts = /etc/exim_deny
377-!hosts = +relay_hosts
378-!authenticated = *
379-delay = 150s
380-log_message = Blocked $sender_host_address because of possible dictionary scan.
381-
 
The exim_deny stanza is not in our original SpamBlocker 2.0 release file. Someone modified the one you use. Since I have no idea how /etc/exim_deny is being maintained I can't give you any advice on it.

In any event, unless your exim.conf file is been continuously maintained it's probably a good idea for you to use our latest version, as discussed in various locations on these forums and on my website, here (nobaloney.net).

Jeff
 
jlasman said:
The exim_deny stanza is not in our original SpamBlocker 2.0 release file. Someone modified the one you use. Since I have no idea how /etc/exim_deny is being maintained I can't give you any advice on it.

In any event, unless your exim.conf file is been continuously maintained it's probably a good idea for you to use our latest version, as discussed in various locations on these forums and on my website, here (nobaloney.net).

Jeff
Click to expand...

Thanks Jeff. I may either attempt to update it myself or hire you to do it (possibly both!) later this summer.
 
You must log in or register to reply here.
Back
Top