Score:0

Server

How can I stop this kind of exim attack?

simonlo

10/9/23, 5:58 AM

I has been search here, BUT no topic about my question (they just ask for their email was rejcted, but this time, not my email was been reject), it seem someone try to send spam out via my server, however this one is very annoying, it start to try over 1000 times like this:

2022-10-02 08:15:01 H=(DESKTOP-K89KQBI) [212.191.80.243] [email protected] rejected RCPT [email protected]: relay not permitted, authentication required

Yes, I can block this ip, but he try new ip everyday....

how can I block this kind of attack? any csf rule? thank you

266

1 + 7

email-server

brute-force-attacks

exim

block

csf

anx

10/9/23, 6:16 AM

The "rejected" indicates the unauthorized attempt *was* stopped. What else do you want?

gapsf

10/9/23, 7:57 AM

"how can I block this kind of attack?" This is not an attack. You already "block" "attack". **You cant force remotes to do or dont do something. Any host can send you whatevere it wants.** You can only ignore something that already reach your host on your side at different stages and levels

simonlo

10/9/23, 1:46 PM

thank you all, I want to block them when this start, they have over 1000 times try, so I want to block their ip when they start try "attack", thanks

gapsf

10/9/23, 2:42 PM

It mostly ineffective because ips may change contstantly and you need analyze exim logs to dynamically update iptables/ipset rules. If server performance doesnt suffer from this connections - just ignore it

gapsf

10/9/23, 2:47 PM

Or you may use ip white list if you know from what ips you want recieve mail. Also check exim use spf checks

simonlo

10/10/23, 4:01 AM

Thanks you gapsf, is there any solution can only let ip in whitelist send email out, the other can't send via my server(exim allow only the ip in list to send mail) ? thank you so much

simonlo

10/10/23, 4:48 AM

thank you gapsf, I have try to add a csf rule for block it, hope this will work

Score:2

Server

Rodrigo Celestino

1/2/24, 11:53 AM

You can install a package called Fail2ban, it's a software that checks your logs in real time and through regex filters it detects logs you want to take in account to ban ips during a specific period. Check out Fail2ban.org for more info.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I stop this kind of exim attack?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.