[exim] Re: delay not kicking in
On 2023-06-03, Slavko via Exim-users wrote: > Dňa 3. júna 2023 20:29:11 UTC používateľ Julian Bradfield via Exim-users > napísal: > >>Nonetheless, I think that a pipeline should be aborted if you already >>know that the far end is closed. > > IMO you are confused. That RCPT rejection was logged, > doesn't mean that it was send, and even if, i am sure that > attacker will not receive it. Exim knows the pipeline is closed because that's what causes the cancellation of the delays. > IMO if exim will not process all received commands and log > rejections, important info can be lost (eg. ratelimits, stats, > etc). Anyway, if you care about output flushing on delays, > there is control option to manage that. IIRC the PIPELINE is > exactly mentioned in its description... True. Indeed, the docs for delay say that SMTP output is, by default, flushed before the delay, even in pipelining mode, so now I no longer understand why exim doesn't detect the closed stream on the first delay ... > BTW, the RBLs are good not only for rejection, but eg. to > disable PIPELINING for suspicious hosts too... I've never used external blacklists (because I don't trust other people to make my spam decisions for me), but that would be a harmless use for them. Thanks for the tip! -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: delay not kicking in
> > BTW, the RBLs are good not only for rejection, but eg. to
> > disable PIPELINING for suspicious hosts too...
>
> I've never used external blacklists (because I don't trust other
> people to make my spam decisions for me), but that would be a harmless
> use for them.
Another not too harmful use of some black and white RBLs
is for decision to greylist (for 3 min) or not.
For decision to disable pipelining on incoming connections I use
(I'm not sure whether it works):
pipelining_advertise_hosts = ${if eq{$sender_host_name}{$sender_helo_name}\
{*}{+whitelisted_hosts}}
If you haven't a static local white list then {*}{}}
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: delay not kicking in
Dňa 4. júna 2023 9:40:25 UTC používateľ Julian Bradfield via Exim-users napísal: >True. Indeed, the docs for delay say that SMTP output is, by default, >flushed before the delay, even in pipelining mode, so now I no longer >understand why exim doesn't detect the closed stream on the first >delay ... IMO question is if it cancel delays only, or cancel sending response too and only logs ACL result. I don't know, as i don't speek C, to check sources. Packet capture can reveal this, but i never meet that. >I've never used external blacklists (because I don't trust other >people to make my spam decisions for me), but that would be a harmless >use for them. Thanks for the tip! I will try to move your minds even more. There are different RBLs. Some are more decent, other less decent, but i agree, that SPAM definition is too broad to rely on decisions of others. I prefer own checks too. But then there are RBLs which tracks botnets and/or login attempts. Have you enough capacity (a lot of servers/ sensors/traps/... across of world) to identify them early? Or you identify them only after some amount of malicious attempts? That are hundreds of thousands compromised PCs, IoTs, even servers (i mostly mean VPSs "servers", maintained by users)... Do you really want, to allow all of them to consume your resources only to reinvert wheel (that it is some botnet)? It is not only about SPAM, phishing and other related attempts. Are you interested to get the same scam from thousands compromised IPs? How it is useful? And neverending story of "AUTH used, when not advertised", etc, etc, ... It is especially hard to track these bads, as when botnet has a lot of IPs, they can repeat only after long time, but still to be too many different IPs daily. And the attackers doesn't use IPv6 (temporary addresses) yet... regards -- Slavko https://www.slavino.sk/ -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: delay not kicking in
On 2023-06-04, Slavko via Exim-users wrote: > But then there are RBLs which tracks botnets and/or login > attempts. Have you enough capacity (a lot of servers/ > sensors/traps/... across of world) to identify them early? > Or you identify them only after some amount of malicious > attempts? I identify them after one failed login attempt :) At present, I block addresses for 1 day, and usually have around 12000 blocked addresses at any one time. One ban every few seconds is not a significant use of resource. > It is not only about SPAM, phishing and other related > attempts. Are you interested to get the same scam > from thousands compromised IPs? How it is useful? I'm a small MTA, handling only relatives and one small sports club. So I'm not a particularly heavy target. I checked the other day - I reject very little at MTA level, but at MUA level, my personal mail is about 75% obvious spam (that gets sent to /dev/null by one of half a dozen simple rules), about 12% less obvious spam (that goes to my "maybe spam" box), and about 12% ham. I was actually surprised at the 75% spam level, since I never see it (and have never had a problem with a false positive). > It is especially hard to track these bads, as when botnet > has a lot of IPs, they can repeat only after long time, but > still to be too many different IPs daily. And the attackers That's why I operate "one strike and you're out". This is occasionally annoying when I'm setting up a new device and get the password wrong, but I can live with that. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: delay not kicking in
Dňa 4. júna 2023 13:54:49 UTC používateľ Julian Bradfield via Exim-users napísal: >I'm a small MTA, handling only relatives and one small sports club. >So I'm not a particularly heavy target. Perhaps you can be not target of targeted atrack, but... Have you properly set SPF/DKIM/DMARC and have not bad reputation? Then you are (or can be) good target. How good target you are, you can derive from 12 000 blocked IPs daily. BTW, how many of them repeats every some days? >That's why I operate "one strike and you're out". This is occasionally >annoying when I'm setting up a new device and get the password wrong, >but I can live with that. Hmm, you can, but what other your users? It doesn't matter how many users you have... I meet similar approach some years ago, in job with our email provider. One of our employee did typo in his mail client password, and whole company (behind NAT) was blocked... Some time passed until i realized that, then some time passed until email provider investigated and solved it, nobody was happy... That is, where identifying of bad IPs can be important, as you can relative safe apply one time approach to them and/or block them for long time, and for others apply less strict rules. regards -- Slavko https://www.slavino.sk pgpaMswRdEf0X.pgp Description: Digit??lny podpis OpenPGP -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Routing failed deliveries through an ESP
Ahoj, Dňa Fri, 21 Apr 2023 14:40:47 +0100 Jeremy Harris via Exim-users napísal: > On 21/04/2023 13:13, Slavko via Exim-users wrote: > > it can > > be related to per_addr option > > per_addr can only be used in the rcpt acl. > You'd possibly be able to just use count=1, > if this was and event raised once per thing > you want counted. I am sorry for delay, but now i find time to play with it... I reenabled ratelimit in event msg:fail:delivery. I was wrong, it was not the per_addr, but per_rcpt, but result is the same. As i call it from nested ACL (acl=), the log is not useful. AFAIK, the msg:fail:delivery event is called once per failed recipient, and that is exactly what i want to count -- the failed recipients rate. Previously i did it by recipient callout, but IMO events are better, as no separate callout is done (and i cannot use hold in callout, as i use BATV to modify envelope sender). I reread the doc about ratelimit, and i found that only per_conn and per_cmd has not mentioned other ACLs, where they can be used. I will guess, that that approach was choose before events was introduced. If that definition can be opposite -- i mean list of ACLs, where particular option cannot be used, then many of them can be used in events... I was success with per_cmd/count=1, but i am not sure if that is right. I can see right number in ratelimit DB, but i did only basic testing yet. I guess, that per_conn will not be useful in this case to count failed recipients, but i am not sure. Can you please confirm that? I am not sure how to deal with the same failing recipient yet... But can be unique=$local_part@$domain used there? regards -- Slavko https://www.slavino.sk pgp3FUulMybGS.pgp Description: Digit??lny podpis OpenPGP -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: delay not kicking in
On 2023-06-04, Slavko via Exim-users wrote: > Dňa 4. júna 2023 13:54:49 UTC používateľ Julian Bradfield via > Exim-users napísal: >>I'm a small MTA, handling only relatives and one small sports club. >>So I'm not a particularly heavy target. > Have you properly set SPF/DKIM/DMARC and have not bad reputation? Then > you are (or can be) good target. How good target you are, you can > derive from 12 000 blocked IPs daily. I don't use DMARC yet, but the rest is in place, and Gmail accepts mail from me :) > BTW, how many of them repeats every some days? Actually, I was wrong - I now blacklist for ten days. I must have changed it a while ago. >>That's why I operate "one strike and you're out". This is occasionally >>annoying when I'm setting up a new device and get the password wrong, >>but I can live with that. > > Hmm, you can, but what other your users? It doesn't matter how many > users you have... There are no other users who read mail from me by IMAP - I just forward to them (which has its own annoyances, but even though I forward all their spam to gmail, gmail still takes mail from me, though occasionally throttles). > I meet similar approach some years ago, in job with our email provider. > One of our employee did typo in his mail client password, and whole > company (behind NAT) was blocked... Some time passed until i realized > that, then some time passed until email provider investigated and > solved it, nobody was happy... > > That is, where identifying of bad IPs can be important, as you can > relative safe apply one time approach to them and/or block them for > long time, and for others apply less strict rules. Yes, if I had users like that, I would take a different approach. (My users' home and work networks are all whitelisted, so it's only their mobiles that they might get blocked by accident.) -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: delay not kicking in
On 2023-06-04, Slavko via Exim-users wrote: > --===5177538003882154364== > Content-Type: multipart/signed; boundary="Sig_/UlU3IJ5lalsyNpEcaEewzpE"; > protocol="application/pgp-signature"; micalg=pgp-sha256 > > --Sig_/UlU3IJ5lalsyNpEcaEewzpE > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > D=C5=88a 4. j=C3=BAna 2023 13:54:49 UTC pou=C5=BE=C3=ADvate=C4=BE Julian Br= > adfield via > Exim-users nap=C3=ADsal: > >>I'm a small MTA, handling only relatives and one small sports club. >>So I'm not a particularly heavy target. > > Perhaps you can be not target of targeted atrack, but... > > Have you properly set SPF/DKIM/DMARC and have not bad reputation? Then > you are (or can be) good target. How good target you are, you can > derive from 12 000 blocked IPs daily. > > BTW, how many of them repeats every some days? > >>That's why I operate "one strike and you're out". This is occasionally >>annoying when I'm setting up a new device and get the password wrong, >>but I can live with that. > > Hmm, you can, but what other your users? It doesn't matter how many > users you have... > > I meet similar approach some years ago, in job with our email provider. > One of our employee did typo in his mail client password, and whole > company (behind NAT) was blocked... Some time passed until i realized > that, then some time passed until email provider investigated and > solved it, nobody was happy... > > That is, where identifying of bad IPs can be important, as you can > relative safe apply one time approach to them and/or block them for > long time, and for others apply less strict rules. > > regards > > --=20 > Slavko > https://www.slavino.sk I use a strategy where repeated attempts with the same wrong password (user-password-hash) are not punished further. I use an SQL database, but the same thing could by done by using an inverse ratelimit on a hash of user-password preceeding the ratelimit on ip-address. -- Jasen. 🇺🇦 Слава Україні -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
