I've been following this particular botnet pretty closely. It's an
incredible one. If anyone is interested, I have a list of IPs of this
botnet that increase daily:
https://github.com/mxroute/da_server_updates/blob/master/sec/botnet.list
It's been a good while since I've seen a botnet this persistent and slow
to reveal itself. Usually one of this size blows it's wad all in one go
and you can list out every currently infected PC/IP in a day or so. This
one seems to either be taking it's time, or is adding new systems to
it's list at a very solid pace.
On 2023-05-28 16:09, Jim Fenton via Exim-users wrote:
It seems like some of the spammers have changed tactics and are now
sending messages with 98 or so bad RCPT addresses, which (happily) Exim
detects. But now I'm getting a flood of messages in syslog, such as:
2023-05-28 00:24:39 REJECT [168.121.195.104]: bad recipient count high
[9]
2023-05-28 00:24:39 H=([168.121.195.104]) [168.121.195.104]
F=<70g3gpds9l...@vogk.ru>
rejected RCPT <comerc...@bluepopcorn.net>: Rejected for too many bad
recipients
…many lines deleted…
2023-05-28 00:24:39 REJECT [168.121.195.104]: bad recipient count high
[98]
2023-05-28 00:24:39 H=([168.121.195.104]) [168.121.195.104]
F=<70g3gpds9l...@vogk.ru> rejected RCPT <ad...@bluepopcorn.net>:
Rejected for too many bad recipients
I can easily change the configuration to make this happen silently, but
I would like some visibility that this is happening, for example, in my
daily logwatch output. Has anyone devised a way to cut down on the
number of messages without eliminating them entirely?
-Jim
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
