Exim, Recipient Verify on Relay and Mail Server

How many of you got dictionary/ratware attack on your mail server which take unnecessary processing load to do virus scanning or spam scoring? We have more than thousand (average) dictionary attack on our mail server in an hour and it has taken a lot processor load (memory even more!), especially it also does scanning with Spam Assassin or SA-Exim.

On Exim, if you have a relay server that does spam scoring or virus scanning, you might need a high processor server to serve the attack or unnecessary scanning, investing on high processor just to do that is not worth it. (That is why we hate Barracuda’s vendor, keep on asking us upgrade to higher end hardware which cost like >RM50k?) .

To overcome the “load”, you can put some trick on Exim’s acl_smtp_rcpt/acl_check_rcpt, let see how it works.

Usually most system admin use verify=recipient/callout=10s,no_cache,defer_ok, but it will always do RCPT call to server to check for valid recipient, it might take a lot of connection resources. To make thing easier, you can generate a list of valid recipient (since it’s your own server), dump it into a text file for example recipients.verified.list with the format as below;

recipient-a@exim.com.my
recipient-b@exim.com.my
recipient-c@exim.com.my

After that, at acl_check_rcpt, put this line in,

deny message = invalid recipient
domains = +relayed_domains
recipients = !/etc/exim/recipients.verified.list

You can put this line before or after accept host = : at acl_check_rcpt. What will the rule do? Very obvious if the recipient is not in the recipients list, it will deny to receive the email and do further process.

Hope this tip will help, continue fighting with Spam 😉

p/s: this was what we get yesterday

shell> grep ‘invalid recipient’ /var/log/exim/mainlog | wc -l
shell> 129794

129794 attacks / day 😉 and it was Monday!