headers
Philip Hazel | 30 Aug 2007 15:49
Picon
Picon

Exim 4.68 Released


I have just put Exim release 4.68 on the primary ftp site:

  ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/exim-4.68.tar.gz
  ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/exim-4.68.tar.bz2

-------------------------------------------------------------------------------
This release contains a number of new features, as well as some bug fixes. The
documentation has been updated. The PostScript/PDF documentation has again been
made by a new process. Instead of using xmlto/fop (as was done up to 4.66),
PostScript is generated directly from the XML by a program called SDoP that I
have been quietly writing for the last couple of years. It is now publicly
released, and it can do a better (and 60 times faster) job on the Exim manual
than xmlto/fop. In particular, change bars are back, as are font changes in the
indexes, and there are fewer typographic inelegancies.

As usual, all changes are in the doc/ChangeLog file. See also the
README.UPDATING file for changes that might impact on some installations.
-------------------------------------------------------------------------------

The primary ftp server is in Cambridge, England. There is a list of mirrors in:

  ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Mirrors

The distribution files are signed with Philip Hazel's GPG key, which is
available on the ftp site and on a number of keyservers. The signature files
are in the same directory as the tarbundles. The MD5 hash codes for the
distribution files are:

41e9a5f5937f50d3cf5ba62986b06602  exim-4.68.tar.gz
(Continue reading)

Permalink | Reply |
headers
Mark Rigby-Jones | 31 Aug 2007 10:50
Picon

Exim 4.68 defeats spammers!

On 30 Aug 2007, at 14:49, Philip Hazel wrote:
> I have just put Exim release 4.68 on the primary ftp site:
...
> This release contains a number of new features

Talk about a new release arriving just in the nick of time! Two of  
those new features combined to help solve a problem I was having  
yesterday afternoon. Allow me to explain:

Briefly, we were having an issue with a spam attack from (presumably)  
a zombie network, but to add to the fun the vast majority of the spam  
connections were sitting doing nothing until exim timed them out  
while waiting for a command. Even after reducing  
smtp_receive_timeout, this was filling up the connection pool and  
stopping a lot of legitimate email coming in.

Using the new acl_smtp_notquit, these timed-out connections can now  
be flagged for rate-limiting (this rule also catches connections with  
too many invalid commands):

acl_notquit:
     # Allow anything that's authenticated, from our networks or to  
submit port
     accept      authenticated   = *
     accept      hosts           = +relay_hosts
     accept      condition       = ${if eq {$interface_port}{587}  
{yes}{no}}
     # Rate-limit suspicious connections
     warn        condition       = ${if match {$smtp_notquit_reason} 
{command} \
(Continue reading)

Permalink | Reply |
headers
Mar Matthias Darin | 3 Sep 2007 08:20

Re: Exim 4.68 defeats spammers!

Hello, 

Mark Rigby-Jones writes: 

> Briefly, we were having an issue with a spam attack from (presumably)  
> a zombie network, but to add to the fun the vast majority of the spam  
> connections were sitting doing nothing until exim timed them out  
> while waiting for a command. Even after reducing  
> smtp_receive_timeout, this was filling up the connection pool and  
> stopping a lot of legitimate email coming in.

With the spam zombies being mostly dynamic, I hardly even notice them.  
DynaStop whacks them off earily in the the helo section.   But I have seen 
an increase in my logs of their attempts. 

 --- 

DynaStop: Stopping spam one dynamic IP address at a time.
http://tanaya.net/DynaStop/

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Permalink | Reply |
headers
Marc Perkel | 31 Aug 2007 16:59

Re: Exim 4.68 defeats spammers!


Mark Rigby-Jones wrote:
> On 30 Aug 2007, at 14:49, Philip Hazel wrote:
>   
>> I have just put Exim release 4.68 on the primary ftp site:
>>     
> ...
>   
>> This release contains a number of new features
>>     
>
> Talk about a new release arriving just in the nick of time! Two of  
> those new features combined to help solve a problem I was having  
> yesterday afternoon. Allow me to explain:
>
> Briefly, we were having an issue with a spam attack from (presumably)  
> a zombie network, but to add to the fun the vast majority of the spam  
> connections were sitting doing nothing until exim timed them out  
> while waiting for a command.
>   

Interesting. I'm wondering if that is happening to me. The number of 
open connection to my main serve has increased by almost 10 times 
normal. I have the capacity to handle it and the load levels haven't 
increased. So maybe the same thing is happening to me as happening to you?

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
(Continue reading)

Permalink | Reply |
headers
Mark Rigby-Jones | 1 Sep 2007 08:31

Re: Exim 4.68 defeats spammers!

On 31 Aug 2007, at 15:59, Marc Perkel wrote:
> Interesting. I'm wondering if that is happening to me. The number  
> of open connection to my main serve has increased by almost 10  
> times normal. I have the capacity to handle it and the load levels  
> haven't increased. So maybe the same thing is happening to me as  
> happening to you?

It's possible. Certainly one big difference with this attack is that  
CPU load wasn't hugely affected. I've got the connection limit set at  
a point where normally the servers are under pretty heavy load by the  
time it's reached and have probably dropped back to queue_only. This  
time, as most of the connections were simply hanging until they timed  
out, the load only went up slightly - meaning it did take rather  
longer to set off the alarm bells.

mrj
-- 
Mark Rigby-Jones, System Operations Manager
CI-Net, Network House, Langford Locks, Kidlington, OX5 1GA
CI-Net is the trading name for Community Internet plc
A company registered in England and Wales number 3155758
t: 01865 856009 m: 07747 862201 e: mark.rigby-jones <at> ci-net.com
w: www.ci-net.com

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
(Continue reading)

Permalink | Reply |
headers
Chris Edwards | 31 Aug 2007 14:44
Picon
Picon

Re: Exim 4.68 defeats spammers!

On Fri, 31 Aug 2007, Mark Rigby-Jones wrote:

| Using the new acl_smtp_notquit, these timed-out connections can now  
| be flagged for rate-limiting

Hi,

Interesting. 

Do you find the same zombie IPs re-connecting sufficiently often to make 
this worthwhile ?  Or is there an effectively infinite pool of zombies, 
each only connecting once ?

--
Chris Edwards, Glasgow University Computing Service

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Permalink | Reply |
headers
Mark Rigby-Jones | 1 Sep 2007 08:24

Re: Exim 4.68 defeats spammers!

On 31 Aug 2007, at 13:44, Chris Edwards wrote:
> Do you find the same zombie IPs re-connecting sufficiently often to  
> make this worthwhile ?  Or is there an effectively infinite pool of  
> zombies, each only connecting once ?

In this particular case, they were - in fact they were even opening  
multiple simultaneous connections (until I dropped  
smtp_accept_max_per_host from 4 to 1 for off-net hosts) and re- 
connecting quite aggressively each time a connection was timed out.  
This, from numerous (dozens, certainly) different IP addresses to  
multiple mail servers on our side. After I made those changes, the  
number of concurrent connections began to drop down from being nailed  
up to the limit as it had been since the attack started, allowing  
legitimate emails to get through.

That said, it does seem a rather ineffective way to send spam - very  
few of the connections got as far as even attempting to send a  
message, certainly no more than one or two per hour, per attacking  
IP. Hopefully they'll stop using that particular code when it proves  
to be unprofitable (although I can assure you that I'd prefer a much  
worse fate for the spammers than mere lack of profit...)

mrj
--

-- 
Mark Rigby-Jones, System Operations Manager
CI-Net, Network House, Langford Locks, Kidlington, OX5 1GA
CI-Net is the trading name for Community Internet plc
A company registered in England and Wales number 3155758
t: 01865 856009 m: 07747 862201 e: mark.rigby-jones <at> ci-net.com
w: www.ci-net.com
(Continue reading)

Permalink | Reply |
headers
John W. Baxter | 5 Sep 2007 17:20

Re: Exim 4.68 defeats spammers!

On 8/31/07 11:24 PM, "Mark Rigby-Jones" <mark.rigby-jones <at> ci-net.com> wrote:

> On 31 Aug 2007, at 13:44, Chris Edwards wrote:
>> Do you find the same zombie IPs re-connecting sufficiently often to
>> make this worthwhile ?  Or is there an effectively infinite pool of
>> zombies, each only connecting once ?
> 
> In this particular case, they were - in fact they were even opening
> multiple simultaneous connections (until I dropped
> smtp_accept_max_per_host from 4 to 1 for off-net hosts) and re-
> connecting quite aggressively each time a connection was timed out.
> This, from numerous (dozens, certainly) different IP addresses to
> multiple mail servers on our side. After I made those changes, the
> number of concurrent connections began to drop down from being nailed
> up to the limit as it had been since the attack started, allowing
> legitimate emails to get through.
>

I notice that iptables is blocking and logging packets for "invalid TCP
state" from the same hosts that are pushing up the connection counts.

This has increased greatly over the past 5 days (up by a factor of 5 or so
per the logs on one server).

  --John

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
(Continue reading)

Permalink | Reply |
headers
Marc Perkel | 1 Sep 2007 15:42

Re: Exim 4.68 defeats spammers!


Mark Rigby-Jones wrote:
> On 31 Aug 2007, at 13:44, Chris Edwards wrote:
>   
>> Do you find the same zombie IPs re-connecting sufficiently often to  
>> make this worthwhile ?  Or is there an effectively infinite pool of  
>> zombies, each only connecting once ?
>>     
>
> In this particular case, they were - in fact they were even opening  
> multiple simultaneous connections (until I dropped  
> smtp_accept_max_per_host from 4 to 1 for off-net hosts) and re- 
> connecting quite aggressively each time a connection was timed out.  
> This, from numerous (dozens, certainly) different IP addresses to  
> multiple mail servers on our side. After I made those changes, the  
> number of concurrent connections began to drop down from being nailed  
> up to the limit as it had been since the attack started, allowing  
> legitimate emails to get through.
>
> That said, it does seem a rather ineffective way to send spam - very  
> few of the connections got as far as even attempting to send a  
> message, certainly no more than one or two per hour, per attacking  
> IP. Hopefully they'll stop using that particular code when it proves  
> to be unprofitable (although I can assure you that I'd prefer a much  
> worse fate for the spammers than mere lack of profit...)
>
> mrj
>   

One thing you can do is create a fake highest numbered MX that always
(Continue reading)

Permalink | Reply |
headers
Chris Edwards | 1 Sep 2007 13:19
Picon
Picon

Re: Exim 4.68 defeats spammers!

On Sat, 1 Sep 2007, Mark Rigby-Jones wrote:

| In this particular case, they were - in fact they were even opening  
| multiple simultaneous connections (until I dropped  
| smtp_accept_max_per_host from 4 to 1 for off-net hosts) and re- 
| connecting quite aggressively each time a connection was timed out.  
| This, from numerous (dozens, certainly) different IP addresses to  
| multiple mail servers on our side. After I made those changes, the  
| number of concurrent connections began to drop down from being nailed  
| up to the limit as it had been since the attack started, allowing  
| legitimate emails to get through.

Thanks for the interesting insight.

Chris

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Permalink | Reply |
headers
Robby Balona | 31 Aug 2007 15:22
Picon

Weird log entry

Hi All

Anyone seen this before and could tell me what it it. I just noticed this
week in my Mainlog. Does not worry me but I wonder what they are trying to
do

rejected EHLO from [87.225.89.123]: syntactically invalid argument(s):
\321\302\305\322\310\312

Thanks

Robby

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Permalink | Reply |
headers
Juha Saarinen | 3 Sep 2007 11:00
Picon

Re: Weird log entry

On 9/1/07, Robby Balona <robby <at> grab.co.za> wrote:
> Hi All
>
> Anyone seen this before and could tell me what it it. I just noticed this
> week in my Mainlog. Does not worry me but I wonder what they are trying to
> do
>
> rejected EHLO from [87.225.89.123]: syntactically invalid argument(s):
> \321\302\305\322\310\312

Could be some spammer ratware, or a mailserver EHLO'ing in Cyrillic
(err, doubt it, but the IP address seems to be in a Russian netblock).

-- 
Juha
http://www.stuff.co.nz/blogs/techsploder

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Permalink | Reply |

Gmane