On 2023-06-01, Julian Bradfield via Exim-users <exim-users@lists.exim.org> wrote: > In response to the recent RCPT-flooding attacks, I changed my > acl_check_rcpt verification check to say: > deny > domains = +local_domains > !local_parts = postmaster > !verify = recipient > message = Unknown user > delay = 5s
> However, in the exim log file I'm still seeing 99 denied RCPT commands > all with the same timestamp. Having switched on acl debugging at the 70th denied RCPT, what I see in the logs is: check delay = 5s delay modifier requests 5-second delay delay cancelled by peer close As far as I can see, this only makes any sense if the attacker has closed its input stream (exim's output stream) - but then shouldn't exim get an error when it sends the response? And why would the attacker close its input stream so it can't see the response? The attack is not heavy enough to be an effective DoS attack, at least not for me. (This is exim-4.94 from Debian 11). -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
