Exim Challenge

suhailc

Verified User
Joined
Oct 4, 2004
Messages
119
Hi,

I seem to get an awful lot of this:

2006-01-03 16:39:04 SMTP connection from [81.27.32.105]:48775 I=[64.21.33.76]:25 (TCP/IP connection count = 2)
2006-01-03 16:39:04 SMTP connection from [193.108.16.67]:11454 I=[64.21.33.76]:25 (TCP/IP connection count = 3)
2006-01-03 16:39:04 SMTP connection from [216.114.155.99]:17701 I=[64.21.33.76]:25 (TCP/IP connection count = 4)
2006-01-03 16:39:04 SMTP connection from [209.182.0.54]:3787 I=[64.21.33.76]:25 (TCP/IP connection count = 5)
2006-01-03 16:39:04 SMTP connection from [198.107.25.35]:47640 I=[64.21.33.76]:25 (TCP/IP connection count = 6)
2006-01-03 16:39:05 SMTP connection from [195.102.244.132]:64878 I=[64.21.33.76]:25 (TCP/IP connection count = 7)
2006-01-03 16:39:05 SMTP connection from [128.153.5.33]:46022 I=[64.21.33.76]:25 (TCP/IP connection count = 8)
2006-01-03 16:39:05 SMTP connection from [212.187.183.152]:51893 I=[64.21.33.76]:25 (TCP/IP connection count = 9)
2006-01-03 16:42:35 1EtpF5-0001Lt-41 => :blackhole: <washers@my-ihost.co.uk> R=virtual_aliases
2006-01-03 16:42:35 1EtpF5-0001Lt-41 Completed
2006-01-03 16:42:35 SMTP connection from omr-m08.mx.aol.com [64.12.138.20]:51427 I=[64.21.33.76]:25 closed by QUIT
2006-01-03 16:42:35 SMTP connection from [63.82.19.135]:4256 I=[64.21.33.76]:25 (TCP/IP connection count = 25)
2006-01-03 16:42:36 SMTP connection from [69.28.157.202]:53189 I=[64.21.33.76]:25 (TCP/IP connection count = 26)
2006-01-03 16:42:36 SMTP connection from [66.180.96.29]:45590 I=[64.21.33.76]:25 (TCP/IP connection count = 27)
2006-01-03 16:42:36 SMTP connection from [216.162.221.226]:64606 I=[64.21.33.76]:25 (TCP/IP connection count = 28)
2006-01-03 16:42:36 SMTP connection from main.mni.pl [213.134.141.196]:53573 I=[64.21.33.76]:25 closed by QUIT
2006-01-03 16:42:36 SMTP connection from [70.150.205.100]:6865 I=[64.21.33.76]:25 (TCP/IP connection count = 28)
2006-01-03 16:42:36 SMTP connection from [213.4.149.11]:20525 I=[64.21.33.76]:25 (TCP/IP connection count = 29)
2006-01-03 16:42:36 SMTP connection from [152.157.186.17]:58538 I=[64.21.33.76]:25 (TCP/IP connection count = 30)
2006-01-03 16:42:36 1EtpF6-0001M2-SL <= <> H=(cleanweb.net) [69.28.157.202]:53189 I=[64.21.33.76]:25 P=esmtp S=1821 id=receipt-19135@cleanweb.net T="Undeliverable mail: headline news" from <> for ashamed@kidwatch-uk.net

which is translating into loads of exim processes which is loading up the server.

Are these SMTP connections to send mail via my SMTP or to deliver mail via my SMTP?

How can I block such connections to 64.21.33.76?

And what is the best way of tackling this please?

Appreciate any help or advice.

Regards,
Suhail.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
suhailc said:
Are these SMTP connections to send mail via my SMTP or to deliver mail via my SMTP?
The ones I actually read are connections to your server, probably by spammers.
How can I block such connections to 64.21.33.76?
Firewall such as BFD + APF, the /etc/hosts.deny file, and/or the /etc/virtual/blacklist_hosts file.
And what is the best way of tackling this please?
There's no realy best way, but I'd do it with the BFD+APF firewall for the best automated answer.

To use either the blacklist_hosts file or the hosts.deny file you'd have to know specific IP#s, and they change often.

Jeff
 

suhailc

Verified User
Joined
Oct 4, 2004
Messages
119
Thanks for that Jeff.

It seems like there are just too many IPs to ban as they are coming in from everywhere.

What they are doing is picking on the IP of specific domains and trying to connect to the SMTP port 25 of this IP, so I've banned connections to this port on this IP by adding following syntax to deny_hosts:

d=25:d=ServerIP

Also I set catch-all email for the domains affected to "fail" as lots of emails have been coming back and being processed by server to "blackhole" but this was causing fair amount of server load.

Let's hope this works!
 
Top