On 02/12/2019 10:23, Cyborg via Exim-users wrote: > That an ip is trying to abuse the auth mechanics and producing a lot of > "protocol synchronization error" messages, > as normal clients won't do.
You say "an IP" but you also said "botnet". If the botnet is only using IP's once, you won't do anything useful by tracking IPs. Analyse your logs to see whether or not such an approach would be useful. Perhaps you could start from the other end: track your customer's (well, at least sources that pass authentication) IPs - and impose a delay on others. Ways to do that: - check the "authenticated" status in any ACL from mail onward, if yes then note the IP in your favourite DB. A ratelimit DB would do fine. - check the IP in the DB in an AUTH ACL and delay if not found. [IANAL, but beware GPDR concerns with such a DB. It should be protected in the same way as logs] -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
