Exim Challenge

S

suhailc

Verified User
Joined
Oct 4, 2004
Messages
119
Hi,

I seem to get an awful lot of this:

2006-01-03 16:39:04 SMTP connection from [81.27.32.105]:48775 I=[64.21.33.76]:25 (TCP/IP connection count = 2)
2006-01-03 16:39:04 SMTP connection from [193.108.16.67]:11454 I=[64.21.33.76]:25 (TCP/IP connection count = 3)
2006-01-03 16:39:04 SMTP connection from [216.114.155.99]:17701 I=[64.21.33.76]:25 (TCP/IP connection count = 4)
2006-01-03 16:39:04 SMTP connection from [209.182.0.54]:3787 I=[64.21.33.76]:25 (TCP/IP connection count = 5)
2006-01-03 16:39:04 SMTP connection from [198.107.25.35]:47640 I=[64.21.33.76]:25 (TCP/IP connection count = 6)
2006-01-03 16:39:05 SMTP connection from [195.102.244.132]:64878 I=[64.21.33.76]:25 (TCP/IP connection count = 7)
2006-01-03 16:39:05 SMTP connection from [128.153.5.33]:46022 I=[64.21.33.76]:25 (TCP/IP connection count = 8)
2006-01-03 16:39:05 SMTP connection from [212.187.183.152]:51893 I=[64.21.33.76]:25 (TCP/IP connection count = 9)
2006-01-03 16:42:35 1EtpF5-0001Lt-41 => :blackhole: <[email protected]> R=virtual_aliases
2006-01-03 16:42:35 1EtpF5-0001Lt-41 Completed
2006-01-03 16:42:35 SMTP connection from omr-m08.mx.aol.com [64.12.138.20]:51427 I=[64.21.33.76]:25 closed by QUIT
2006-01-03 16:42:35 SMTP connection from [63.82.19.135]:4256 I=[64.21.33.76]:25 (TCP/IP connection count = 25)
2006-01-03 16:42:36 SMTP connection from [69.28.157.202]:53189 I=[64.21.33.76]:25 (TCP/IP connection count = 26)
2006-01-03 16:42:36 SMTP connection from [66.180.96.29]:45590 I=[64.21.33.76]:25 (TCP/IP connection count = 27)
2006-01-03 16:42:36 SMTP connection from [216.162.221.226]:64606 I=[64.21.33.76]:25 (TCP/IP connection count = 28)
2006-01-03 16:42:36 SMTP connection from main.mni.pl [213.134.141.196]:53573 I=[64.21.33.76]:25 closed by QUIT
2006-01-03 16:42:36 SMTP connection from [70.150.205.100]:6865 I=[64.21.33.76]:25 (TCP/IP connection count = 28)
2006-01-03 16:42:36 SMTP connection from [213.4.149.11]:20525 I=[64.21.33.76]:25 (TCP/IP connection count = 29)
2006-01-03 16:42:36 SMTP connection from [152.157.186.17]:58538 I=[64.21.33.76]:25 (TCP/IP connection count = 30)
2006-01-03 16:42:36 1EtpF6-0001M2-SL <= <> H=(cleanweb.net) [69.28.157.202]:53189 I=[64.21.33.76]:25 P=esmtp S=1821 [email protected] T="Undeliverable mail: headline news" from <> for [email protected]

which is translating into loads of exim processes which is loading up the server.

Are these SMTP connections to send mail via my SMTP or to deliver mail via my SMTP?

How can I block such connections to 64.21.33.76?

And what is the best way of tackling this please?

Appreciate any help or advice.

Regards,
Suhail.
 
suhailc said:
Are these SMTP connections to send mail via my SMTP or to deliver mail via my SMTP?
Click to expand...
The ones I actually read are connections to your server, probably by spammers.
How can I block such connections to 64.21.33.76?
Click to expand...
Firewall such as BFD + APF, the /etc/hosts.deny file, and/or the /etc/virtual/blacklist_hosts file.
And what is the best way of tackling this please?
Click to expand...
There's no realy best way, but I'd do it with the BFD+APF firewall for the best automated answer.

To use either the blacklist_hosts file or the hosts.deny file you'd have to know specific IP#s, and they change often.

Jeff
 
Thanks for that Jeff.

It seems like there are just too many IPs to ban as they are coming in from everywhere.

What they are doing is picking on the IP of specific domains and trying to connect to the SMTP port 25 of this IP, so I've banned connections to this port on this IP by adding following syntax to deny_hosts:

d=25:d=ServerIP

Also I set catch-all email for the domains affected to "fail" as lots of emails have been coming back and being processed by server to "blackhole" but this was causing fair amount of server load.

Let's hope this works!
 
You must log in or register to reply here.
Back
Top