Am 02.12.19 um 11:48 schrieb Jeremy Harris via Exim-users: > On 02/12/2019 10:23, Cyborg via Exim-users wrote: >> That an ip is trying to abuse the auth mechanics and producing a lot of >> "protocol synchronization error" messages, >> as normal clients won't do. > You say "an IP" but you also said "botnet". If the botnet is > only using IP's once, you won't do anything useful by tracking > IPs. Analyse your logs to see whether or not such > an approach would be useful.
It was only a small example, the logfiles are full of it. And by blocking, I mean "blocking in the entire cluster" ;) > Perhaps you could start from the other end: track your customer's > (well, at least sources that pass authentication) IPs - > and impose a delay on others. Ways to do that: > - check the "authenticated" status in any ACL from mail onward, > if yes then note the IP in your favourite DB. A ratelimit DB would do > fine. > - check the IP in the DB in an AUTH ACL and delay if not found. > > [IANAL, but beware GPDR concerns with such a DB. It should be > protected in the same way as logs] So, the answere is "no, there is no way to intercept here." Is ok, take it as a FeatureRequest ;) Afais, they make mistakes and assume pipelining is active, so checking it in other acls and events may not work as suggested. Example: 2019-12-02 13:44:27 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "root" H=[179.43.110.211] next input="00000\r\n" 2019-12-02 13:44:27 no host name found for IP address 179.43.110.211 2019-12-02 13:44:29 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "admin" H=[179.43.110.211] next input="1234qwer\r\n" 2019-12-02 13:44:33 no host name found for IP address 179.43.110.211 2019-12-02 13:44:34 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "root" H=[179.43.110.211] next input="pass\r\n" 2019-12-02 13:44:39 no host name found for IP address 179.43.110.211 2019-12-02 13:44:43 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "root" H=[179.43.110.211] next input="7ujMko0admin\r\n" I will add it to our IDS system, which also monitors exim and can block such bot nets effectivly. A build-in system would have been nice, because than we can send nice messages to the abuser, in case it's a badly broken client. best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
