Exim's bad_sender_hosts not working?

[Richard G]

We have issues with a Chinese spammer.
216.37.65.218.broad.ja.jx.dynamic.163data.com.cn

This was already a couple of times. So I thought I just block that complete host in the /etc/virtual/bad_sender_hosts file like this:
*.dynamic.163data.com.cn
and reloaded Exim (or restart it).

And what do I see in the firewall today?
Mon Sep 18 20:35:58 2023 218.65.37.216 (CN/China/216.37.65.218.broad.ja.jx.dynamic.163data.com.cn), 5 distributed smtpauth attacks on account [info] in the last 900 secs

So how come he is able to do that, while Exim should already block him due to the input in the bad_sender_hosts file?

 

[Active8]

block the whole ASN in CSF : AS4134

 

[johannes]

Number of IPv4 110,725,632
Number of IPv6 4.65 × 10^32
.. dont know if full ASN blocking didnt make websites slower, but i think so. CN has a myriad of IPs.

Nonetheless its from interest why bad_sender_hosts isnt working in this case.

 

[Richard G]

@Active8 Yes I know that is possible, but the bad_sender_hosts file should work too.
So I would like to know why it does not work.

 

[Active8]

dont know if full ASN blocking didnt make websites slower,

I can assure you even blocking whole country's with CSF will not slow your servers/sites.
We have now at least 6 big country's in these list incl. CN and everything works flawless

but the bad_sender_hosts file should work too.

Agree, did you mentioned it at CSF forums too ?

 

[Richard G]

Agree, did you mentioned it at CSF forums too ?

No why should I? The bad_sender_hosts file is part of Exim and that is part of Directadmin.

 

[johannes]

I can assure you even blocking whole country's with CSF will not slow your servers/sites.
We have now at least 6 big country's in these list incl. CN and everything works flawless

Thank you, as this was never clear to me. Good to know.

 

[Richard G]

Thank you, as this was never clear to me. Good to know.

I presume this is if ipset is installed. With ipset indeed it hardly costs RAM. Very minimal.

 

[Active8]

I presume this is if ipset is installed.

Yep

 

[Richard G]

Yep lol indeed, I recenty checked the use of RAM. LoL, No need to worrie.
Total IPSET Entries: 11945
Total IPSET Memory Usage: 0.33 MB
So almost 12K entries and only 0.33 MB ram.

Anyway back on topic. Anybody a clue as to why this Exim file not work? As far as I know wildcards could be used without problems.

 

[Richard G]

Anyone a clue on to why the bad_sender_hosts does not work like should be? Or am I doing something wrong?

 

[patrickkasie]

Just stating the obvious, but have you checked/updated your Exim/Exim configuration to make sure its rules/options are being applied?

 

[Richard G]

to make sure its rules/options are being applied?

What do you mean exactly? I'm using a default exim.conf file. The bad_sender_hosts is mentioned all over the place in there.

 

[patrickkasie]

I was hoping you'd have seen missing something basic, as I have sometimes experienced myself. But I have no knowledge of exim other than "it works"
Btw have you found a solution by now?

 

[Richard G]

No not yet, maybe it took some time. At this moment I don't see it happening anymore, or at least not with that address.
So I'm monitoring it now to see if it happens again with a name in there, but at this moment it's fairly quiet.