exim rejectlog

H

hqn34

Verified User
Joined
Nov 7, 2022
Messages
27
I keep seeing messages in the exim rejectlog file like this. Is there anything I need to do?
2023-08-28 17:24:42 H=([xxx.xxx.xxx.xx]) [xxx.xxx.xxx.xx] F=<[email protected]> rejected RCPT <[email protected]>: Email blocked by cbl.abuseat.org (127.0.0.2)
 
hqn34 said:
Is there anything I need to do?
Click to expand...
Yes, abuseat is not used anymore, remove it from the CBL list in exim.conf of change it to zen.spamhaus.org.
You might have a /etc/exim.strings.conf.custom file. If yes, remove from there or change to spamhaus there.
 
So, are these logs frequently coming during the day? Is an attack the issue?
Around 500 to 1000 of these logs are coming within 1 hour.

2023-08-28 18:12:00 H=([xxx.xxx.xxx.xx]) [xxx.xxx.xxx.xx] F=<[email protected]> rejected RCPT <[email protected]>: Email blocked by zen.spamhaus.org (127.0.0.3, 127.0.0.4)
 
Yes, are these attacks coming from different IP addresses? Can I block these attacks with csf?
 
Yes, you can even block complete ranges, depending on your resources and the amount of ip blocks you configured in the csf.conf file.
 
Can I automate this blocking process within CSF? If this condition occurs in the logs, can I have CSF perform the blocking action automatically?
 
Well they are already blocked by RBL's so I wouldn't worry about it, you can better use the space for other things.

However, you might be able to do it by creating a custom regex check via the regex.custom.pm file.

But I can't do scripting so I can't tell you how you should make the line to be used.
 
I am seeing the same on many of my servers, the reject and mail log are growing insane because of these mail attacks.
What the hackers do is they send 100 mails in 1 second, and each and every line is blocked by cbl.abuseat.org (127.0.0.2) which is okay of course. But at an increasing rate, I do get the feeling Exim is not happy with these blocked emails. At times I am not able to send an email myself. Maybe my Exim is maxing out on 100 connections, however that is then in 1 second only.
These attack waved come with some time in between of 1 to 120 seconds. They try to randomize I guess.

Here is an example line:
2023-09-02 20:26:55 H=dt0f1n41.tampabay.res.rr.com [24.92.177.65] F=<[email protected]> rejected RCPT <[email protected]>: Email blocked by cbl.abuseat.org (127.0.0.2)

The F=<mail address> is a random set of letters and numbers, easy to recognize.
They send a 100 mails to users at the domain which they are targeting. In my example above it is as if they are sending to example.com users on my server (it still is just an example, I had to remove my own domain name). Here is a list of the 100 reciepients:
[email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

I checked the reject log for today round noon, and found 6000 IP addresses, and roughly 3000 Unique ones. A VERY high percentage comes from Asia, a few from USA, Europe etc. Clearly China is the sender of most of these mails. I am thinking of blocking China for port 25. But other Asian countries are in the list too, we can't block half of the world, can we?

I was as well thinking of letting CSF count the number of connections (on port 25 only) so I can block all greater than 5 incoming connections. (My servers do not get THAT many incoming mails, so this would only work for me and for servers having a low number of incoming emails). And note: if gmail (or hotmail, yahoo etc) got blocked (opening 5 parallel connections), they will try and resend it again (I guess?).

If anyone has a solution, go ahead please.
 
At this moment there are botnets attacking all kind of servers. In this case you could add the example.com to one of the blacklists of bad_sender_hosts or something. But it won't prevent those actions.

Have a look at my other topic, there Mxroute also has presented a ip list of a botnet he is following now for some time. And loads of ip's which were attacking me yesterday and today are corresponding to his list. So it's really bad again at this moment.

As long as they are blocked by blacklists, I hope Exim is not going over it's throat causing some security flaw.
 
You must log in or register to reply here.
Back
Top