cPanel & WHM Version 108 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
This object is in archive! 

block IP of Exim DoS

Timo Baur shared this idea 10 years ago
Open Discussion

A functionality shall be developed that can sense multiple SMTP connection + drops from the same IP that arrive in the same second (SMTP DoS).


Such a behaviour will lead to a socket "connect timed out inside "and{...}" condition" in the exim, which will prevent all users from authenticating to the mailserver.


For an example see below:


2012-12-11 18:45:12 SMTP connection from mail.somehostname.com (HOST-NAME) [123.23.123.23]:36229 lost


2012-12-11 18:45:12 SMTP connection from mail.somehostname.com (HOST-NAME) [123.23.123.23]:36238 lost


2012-12-11 18:45:12 courier_login authenticator failed for


mail.somehostname.com (HOST-NAME) [123.23.123.23]:36307: 435 Unable


to authenticate at


present (set_id=user): socket connect timed out inside "and{...}" condition


2012-12-11 18:45:12 courier_login authenticator failed for


mail.somehostname.com (HOST-NAME) [123.23.123.23]:36316: 435 Unable


to authenticate at


present (set_id=user): socket connect timed out inside "and{...}" condition


2012-12-11 18:45:12 courier_login authenticator failed for


mail.somehostname.com (HOST-NAME) [123.23.123.23]:35962: 435 Unable


to authenticate at


present (set_id=mail): socket read timed out inside "and{...}" condition


2012-12-11 18:45:12 courier_login authenticator failed for


mail.somehostname.com (HOST-NAME) [123.23.123.23]:35963: 435 Unable


to authenticate at


present (set_id=mail): socket read timed out inside "and{...}" condition


2012-12-11 18:45:12 courier_login authenticator failed for


mail.somehostname.com (HOST-NAME) [123.23.123.23]:35966: 435 Unable


to authenticate at


present (set_id=mail): socket read timed out inside "and{...}" condition


2012-12-11 18:45:12 courier_login authenticator failed for


mail.somehostname.com (HOST-NAME) [123.23.123.23]:35967: 435 Unable


to authenticate at


present (set_id=mail): socket read timed out inside "and{...}" condition


2012-12-11 18:45:12 courier_login authenticator failed for


mail.somehostname.com (HOST-NAME) [123.23.123.23]:35968: 435 Unable


to authenticate at


present (set_id=mail): socket read timed out inside "and{...}" condition


2012-12-11 18:45:12 courier_login authenticator failed for


mail.somehostname.com (HOST-NAME) [123.23.123.23]:35969: 435 Unable


to authenticate at


present (set_id=mail): socket read timed out inside "and{...}" condition


2012-12-11 18:45:12 SMTP connection from mail.somehostname.com (HOST-NAME) [123.23.123.23]:35962 lost


2012-12-11 18:45:12 SMTP connection from mail.somehostname.com (HOST-NAME) [123.23.123.23]:35963 lost


2012-12-11 18:45:12 SMTP connection from mail.somehostname.com (HOST-NAME) [123.23.123.23]:36291 lost


2012-12-11 18:45:12 SMTP connection from mail.somehostname.com (HOST-NAME) [123.23.123.23]:36307 lost


2012-12-11 18:45:13 SMTP connection from mail.somehostname.com (HOST-NAME) [123.23.123.23]:36316 lost


2012-12-11 18:45:13 SMTP connection from mail.somehostname.com (HOST-NAME) [123.23.123.23]:35969 lost


2012-12-11 18:45:13 SMTP connection from mail.somehostname.com (HOST-NAME) [123.23.123.23]:35967 lost


2012-12-11 18:45:13 SMTP connection from mail.somehostname.com (HOST-NAME) [123.23.123.23]:35968 lost


2012-12-11 18:45:13 SMTP connection from mail.somehostname.com (HOST-NAME) [123.23.123.23]:35966 lost


2012-12-11 18:45:13 courier_login authenticator failed forxxxx .tun0.hostname.net (xyz) [234.00.234.00]:51857: 435


Unable to authenticate


at present (set_id=user+domain.net): socket connect timed out inside "and{...}" condition


2012-12-11 18:45:13 SMTP connection from xxxx.tun0.hostname.net (xyz) [234.00.234.00]:51857 lost

Replies (1)

photo
3

Hello, I've modified your response to remove any identifying information. It is good practice to remove any private data when posting on the internet.

Leave a Comment
 
Attach a file