[Cpanel Blog] More and more "closed by DROP in ACL" in exim logs. May,2012

I'm seeing more and more of these kinds of entries in the exim_mainlog file:

2012-05-20 03:36:37 SMTP connection from (hxsf8pgx3x2uk) [41.136.196.2]:34124 closed by DROP in ACL
2012-05-20 03:36:43 SMTP connection from (bxkqlnohhfh) [110.172.150.2]:42054 closed by DROP in ACL
2012-05-20 03:37:23 SMTP connection from (windows-xp) [218.48.74.98]:42242 closed by DROP in ACL
2012-05-20 03:37:27 SMTP connection from (dell-2e58bfb0ba) [182.182.60.148]:16332 closed by DROP in ACL
2012-05-20 03:37:39 SMTP connection from (bubu-b74b3fbaa7) [89.137.235.17]:25125 closed by DROP in ACL
2012-05-20 03:38:01 SMTP connection from (school-0a0b7ad4) [106.66.249.123]:3029 closed by DROP in ACL


All of the IPs in such entries seem to be from notoriously shady sources, e.g. Iran, Korea, Russian Federation, and so on. We are seeing anywhere from 2 to 20 per minute of these "closed by DROP in ACL" log entries.

I'm guessing that that this is Exim protecting itself from likely spam probes or something to that effect. But I am wondering if these guys are taking up POP ports with these attacks? And do you suppose it would be worth writing a script to drop these IPs in the server firewall, at least for the ones that hit the server repeatedly, i.e. for the worst offenders?

Thanks much.
More and more "closed by DROP in ACL" in exim logs.
[Cpanel Blog] Trouble installing LCAP on new 64bit server. May,2012

Related Post