On 2023-06-04, Slavko via Exim-users <exim-users@lists.exim.org> wrote: > But then there are RBLs which tracks botnets and/or login > attempts. Have you enough capacity (a lot of servers/ > sensors/traps/... across of world) to identify them early? > Or you identify them only after some amount of malicious > attempts?
I identify them after one failed login attempt :) At present, I block addresses for 1 day, and usually have around 12000 blocked addresses at any one time. One ban every few seconds is not a significant use of resource. > It is not only about SPAM, phishing and other related > attempts. Are you interested to get the same scam > from thousands compromised IPs? How it is useful? I'm a small MTA, handling only relatives and one small sports club. So I'm not a particularly heavy target. I checked the other day - I reject very little at MTA level, but at MUA level, my personal mail is about 75% obvious spam (that gets sent to /dev/null by one of half a dozen simple rules), about 12% less obvious spam (that goes to my "maybe spam" box), and about 12% ham. I was actually surprised at the 75% spam level, since I never see it (and have never had a problem with a false positive). > It is especially hard to track these bads, as when botnet > has a lot of IPs, they can repeat only after long time, but > still to be too many different IPs daily. And the attackers That's why I operate "one strike and you're out". This is occasionally annoying when I'm setting up a new device and get the password wrong, but I can live with that. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
