Score:0

How can I stop this kind of exim attack?

gu flag

I has been search here, BUT no topic about my question (they just ask for their email was rejcted, but this time, not my email was been reject), it seem someone try to send spam out via my server, however this one is very annoying, it start to try over 1000 times like this:

2022-10-02 08:15:01 H=(DESKTOP-K89KQBI) [212.191.80.243] [email protected] rejected RCPT [email protected]: relay not permitted, authentication required

Yes, I can block this ip, but he try new ip everyday....

how can I block this kind of attack? any csf rule? thank you

anx avatar
fr flag
anx
The "rejected" indicates the unauthorized attempt *was* stopped. What else do you want?
gapsf avatar
ng flag
"how can I block this kind of attack?" This is not an attack. You already "block" "attack". **You cant force remotes to do or dont do something. Any host can send you whatevere it wants.** You can only ignore something that already reach your host on your side at different stages and levels
simonlo avatar
gu flag
thank you all, I want to block them when this start, they have over 1000 times try, so I want to block their ip when they start try "attack", thanks
gapsf avatar
ng flag
It mostly ineffective because ips may change contstantly and you need analyze exim logs to dynamically update iptables/ipset rules. If server performance doesnt suffer from this connections - just ignore it
gapsf avatar
ng flag
Or you may use ip white list if you know from what ips you want recieve mail. Also check exim use spf checks
simonlo avatar
gu flag
Thanks you gapsf, is there any solution can only let ip in whitelist send email out, the other can't send via my server(exim allow only the ip in list to send mail) ? thank you so much
simonlo avatar
gu flag
thank you gapsf, I have try to add a csf rule for block it, hope this will work
Score:2
ne flag

You can install a package called Fail2ban, it's a software that checks your logs in real time and through regex filters it detects logs you want to take in account to ban ips during a specific period. Check out Fail2ban.org for more info.

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.