Postcards From My Life

Dear Reader,

Yes, I know I’ve gotten in a rut of simply updating older content and passing it off as new but the pressure of bring creative or witty on a daily basis is getting to me. So bear with me here. The meds will kick in soon and I will be back to normal.

After I released exim_deny_filter.php There was a long discussion over at the DirectAdmin forum with Jeff Lasman about whether or not it was a good idea to be blocking ip addresses in exim. He (well thought out) argument was that exim was not really designed to do this even though it can do it. He argued that it was probably taking up more resources doing it this way than filtering it at the firewall and that firewalls are designed to do IP based filtering so why not let them. (I’ve shortened an 3 day conversation into 2 sentences for so you that I can say I add value with my blog. There…)

He, of course, was right. However, Firewalls can’t detect a dictionary scan and block it while exim can. I toyed with the idea of letting exim issue firewall blocks immediately but that meant that I either had to run exim as root (bad mojo) or I had to open up APF so that it could be executed by the mail user. (bad mojo) So I did what I always do, I wandered off to watch CSI. (Vegas BABY, not those other 2 imposters) Sometime in the intervening week, I hit upon the idea of a compromise. (Those that know me know that this is a wholly foreign idea to me.) Let exim detect and initially block the IPs as it detects an attack. Then, at some regular interval, move those IPs over to the firewall. And of course, give some way to remove them after a pre-defined time.

Thus was born, exim_deny_manager. It has all the features of exim_deny_filter.php and can still be used just like it. Now though, it has added capacity and functionality. (and 10% more brighteners!)

So dear reader, it is with much fanfare that I release to you, after 3 solid days of use on my own system, Exim_Deny_Manager.php. Full implementation instructions can be found on the project page

As always, questions, comments and criticisms are always welcome and sometime even responded to. (Ask Fred, sometimes I do answer emails!)

Until next time, GO Steelers!
(l)(k)(bunny)

=C=

Dear Reader,

Because I know so many of you use it, I’ve updated my little script to maintian the exim_deny_filter described here. After being deluged with emails of congratulations, eternal thanks and feature requests[1] I finally broke down and coded the one additional feature every user I talked to[2] requested. It now has the ability to tell you how many IP addresses are in your file. Ok, technically it tells you how many lines begin with a # but since each IP address has a timestamp line before it that starts with a # you get the same info.

Anyhow, you can download it here. Full details on how to implement IP filtering in Exim can be found here.

Enjoy!
(l)(k)(bunny)

=C=

[1] Ok, it’s the one feature I wanted to add.
[2] Ok, so I only talked to myself.

Dear Reader,

You may or may not know that I run a web hosting service and Internet design company in all of my spare time. This affords me the opportunity to do some interesting things like have long discussions on forums with other admins about the relative value to blocking spam at the firewall .vs the MTA. Thanks to Jeff Lasman those of us who use DirectAdmin and exim have a new SPAM fighting tool, the SpamBlocker configuration file for exim. It’s a great piece of work. If you run exim, even if you don’t run DirectAdmin, it’s worth a read just to see all the good ideas in one place.

Jeff just recently released version 2.0 of the file and while discussing it, our attention turned to blocking spam at the firewall instead of at the MTA. Obviously, it takes less resources but since a lot of spam comes from dynamic IP addresses (evil zombies) you don’t want to block those IP from your server forever or eventually no-one will be able to get to your site. Also, there are several problems that I’ve yet to overcome technically, not the least of which being that exim runs as a non-privileged user (as it should) but this precludes it from executing iptables. So, for the moment, I’m left with a less than optimal but perfectly workable solution.

1 – You need Jeff’s SpamBlocker conf file for exim. If you don’t run DirectAdmin, you will have to modify it to suit your needs but it’s well worth the effort. If however, you don’t want to start from scratch with a new conf file, this idea will work with just about any exim.conf file for 4.50 or better. (it may work with any version of exim 4.x but I’ve not tested it.)

It’s important at this point to say that before you implement this make sure exim is working 100% and then back up your conf file. if nothing else, email it to yourself. It gives you a backup AND you know it’s working! :)

2 – Ok, so you have a working exim.conf file. Now let’s tinker with it. Somewhere in your acl_smtp_rcpt (in SpamBlocker it’s the check_recipient ACL) you need to put the following:

#
# Blatantly stolen from
# http://www.configserver.com/free/eximdeny.html
# Many props and thanks guys.
#
# If they added themselves to the file below, let's block them for Dict Scan!!!
deny  message       = Blocked because your address is being used for a dictionary attack.
hosts         = /etc/exim_deny
!hosts         = +relay_hosts
!authenticated = *
delay         = 150s
log_message   = Blocked because of dictionary scan.

deny  message       = Max $rcpt_fail_count failed recipients allowed
condition     = ${if > {${eval:$rcpt_fail_count}}{2}{yes}{no}}
condition     = ${run{/etc/dictscan.pl $sender_host_address}{1}{1}}
!hosts        = +relay_hosts
delay         = ${eval: ($rcpt_fail_count) * 30}s
log_message   = Dictionary scan! $rcpt_fail_count failed recipient attempts

If you are using SpamBlocker like me, consider putting it below:

# accept mail to hostmaster in any local domain, regardless of source
accept  local_parts = hostmaster
domains     =+local_domains

3 – Ok, save that. Now, download dictscan.pl and save it in your /etc dir. Make sure it is executable by the user account that your exim runs under.

4 – create the file /etc/exim_deny and make sure that it is writable by the account that your exim runs under.

5 – Restart exim

At this point you should have a working solution. There are a couple of things you might want to do.

First, as Jeff pointed out, neither executables nor storage files should be in your /etc. Hey, I didn’t write it and I’ve been too lazy to change it up to this point. But he’s right and you should move the executable somewhere appropriate and the exim_deny file to somewhere in your /var directory.

Second, if you don’t watch it, exim_deny is just going to keep growing and growing. Since I hate manually editing files as much as the next guy I wrote a little php script to do it for me.

Download and save on your server as a php file. Make sure the reference to the php interpreter is correct and if you move the exim_deny file, change it here too. Now, after you run it a few times to make sure it works the way you want it to, drop it in your cron and forget it. Run it as often as you like. Hell, fire up PuTTY and run it in the middle of the day if you get bored. FWIW, I run it every night about 3 AM. (and if my boss is reading this, as far as you know I don’t run it in the middle of the day because as far as you know I’m not bored.) :)

That’s it. Like I said, it’s not a perfect solution. Blocking the IP addresses at the firewall is a much more efficient solution. Especially if you have a busy server that gets attacked a lot. But I present it here for you because it worked for me. I encourage you to drop me a line with any improvements. I’ll make sure and share them.

Until next time,

(l)(k)(bunny)

=C=