From owner-freebsd-isp@FreeBSD.ORG Tue Feb 24 05:24:21 2009 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50CC5106564A for ; Tue, 24 Feb 2009 05:24:21 +0000 (UTC) (envelope-from nuintari@amplex.net) Received: from sylvio.amplex.net (sylvio.amplex.net [64.246.100.10]) by mx1.freebsd.org (Postfix) with ESMTP id 140168FC08 for ; Tue, 24 Feb 2009 05:24:20 +0000 (UTC) (envelope-from nuintari@amplex.net) Received: from localhost (tony.nfs0.amplex.net [172.16.50.246]) by sylvio.amplex.net (8.13.3/8.13.3) with ESMTP id n1O5DobK064251 for ; Tue, 24 Feb 2009 00:13:50 -0500 (EST) (envelope-from nuintari@amplex.net) X-Virus-Scanned: amavisd-new at amplex.net Received: from sylvio.amplex.net ([172.16.50.245]) by localhost (tony.amplex.net [172.16.50.246]) (amavisd-new, port 10024) with LMTP id s3n-eoA+u+lV for ; Tue, 24 Feb 2009 00:13:44 -0500 (EST) Received: from nympho.assylum.nuintari.net (nympho.assylum.nuintari.net [64.246.119.65]) (authenticated bits=0) by sylvio.amplex.net (8.13.3/8.14.2) with ESMTP id n1O5Dd2i064073 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 24 Feb 2009 00:13:39 -0500 (EST) (envelope-from nuintari@amplex.net) Message-ID: <49A38202.7010506@amplex.net> Date: Tue, 24 Feb 2009 00:13:38 -0500 From: Mark E Doner User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: freebsd-isp@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: rate limiting mail server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 05:24:21 -0000 Greetings, I am running a fairly large mail server, FreeBSD, of course. It is predominantly for residential customers, so educating the end users to not fall for the scams is never going to happen. Whenever we have a customer actually hand over their login credentials, we quickly see a huge flood of inbound connections from a small handful of IP addresses on ports 25 and 587, all authenticate as whatever customer fell for the scam du jour, and of course, load goes through the roof as I get a few thousand extra junk messages to process in a matter of minutes. Thinking about using PF to rate limit inbound connections, stuff the hog wild connection rates into a table and drop them quickly. My question is, I know how to do this, PF syntax is easy, but has anyone ever tried this? How many new connections per minute from a single source are acceptable, and what is blatantly malicious? And, once I have determined that, how long should I leave the offenders in the blocklist? Any thoughts appreciated, Mark From owner-freebsd-isp@FreeBSD.ORG Tue Feb 24 06:07:09 2009 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C23691065670 for ; Tue, 24 Feb 2009 06:07:09 +0000 (UTC) (envelope-from tbriggs@apid.com) Received: from boromir.api-digital.com (boromir.api-digital.com [63.238.52.143]) by mx1.freebsd.org (Postfix) with ESMTP id 9BF578FC14 for ; Tue, 24 Feb 2009 06:07:09 +0000 (UTC) (envelope-from tbriggs@apid.com) Received: from Trey-Briggs-Computer.local (unknown [67.132.245.172]) by boromir.api-digital.com (Postfix) with ESMTPA id 4A9D187F71; Mon, 23 Feb 2009 23:48:33 -0600 (CST) Message-ID: <49A38A2E.4040303@apid.com> Date: Mon, 23 Feb 2009 23:48:30 -0600 From: Trey Briggs User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Mark E Doner References: <49A38202.7010506@amplex.net> In-Reply-To: <49A38202.7010506@amplex.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at api-digital.com Cc: freebsd-isp@freebsd.org Subject: Re: rate limiting mail server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 06:07:10 -0000 I'm currently using a postfix-policyd-sf with an 'smtpd_restriction_classes' line setup in postfix to catch outbound traffic. I limit users to 250 outbound messages an hour, if this is hit 3 times, I block the IP for 12 hours. This has kept our servers off of all blacklists for 6 months now, and only incurred the wrath of a small handful of our customers :) . -Trey Mark E Doner wrote: > Greetings, > I am running a fairly large mail server, FreeBSD, of course. It is > predominantly for residential customers, so educating the end users to > not fall for the scams is never going to happen. Whenever we have a > customer actually hand over their login credentials, we quickly see a > huge flood of inbound connections from a small handful of IP addresses > on ports 25 and 587, all authenticate as whatever customer fell for > the scam du jour, and of course, load goes through the roof as I get a > few thousand extra junk messages to process in a matter of minutes. > > Thinking about using PF to rate limit inbound connections, stuff the > hog wild connection rates into a table and drop them quickly. My > question is, I know how to do this, PF syntax is easy, but has anyone > ever tried this? How many new connections per minute from a single > source are acceptable, and what is blatantly malicious? And, once I > have determined that, how long should I leave the offenders in the > blocklist? > > Any thoughts appreciated, > Mark > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > > From owner-freebsd-isp@FreeBSD.ORG Tue Feb 24 08:30:39 2009 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA285106564A for ; Tue, 24 Feb 2009 08:30:39 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoom.lafn.org (zoom.lafn.org [206.117.18.8]) by mx1.freebsd.org (Postfix) with ESMTP id 664138FC1A for ; Tue, 24 Feb 2009 08:30:39 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from [10.0.1.195] (pool-71-109-162-173.lsanca.dsl-w.verizon.net [71.109.162.173]) (authenticated bits=0) by zoom.lafn.org (8.14.2/8.14.2) with ESMTP id n1O8GnP1012643 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 24 Feb 2009 00:16:50 -0800 (PST) (envelope-from bc979@lafn.org) Message-Id: <8C5EAFEB-10AC-42E7-ACF0-E738F17E7347@lafn.org> From: Doug Hardie To: Mark E Doner In-Reply-To: <49A38202.7010506@amplex.net> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Tue, 24 Feb 2009 00:16:49 -0800 References: <49A38202.7010506@amplex.net> X-Mailer: Apple Mail (2.930.3) X-Virus-Scanned: ClamAV version 0.92.1, clamav-milter version 0.92.1 on zoom.lafn.org X-Virus-Status: Clean Cc: freebsd-isp@freebsd.org Subject: Re: rate limiting mail server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 08:30:40 -0000 On Feb 23, 2009, at 21:13, Mark E Doner wrote: > Greetings, > I am running a fairly large mail server, FreeBSD, of course. It is > predominantly for residential customers, so educating the end users > to not fall for the scams is never going to happen. Whenever we have > a customer actually hand over their login credentials, we quickly > see a huge flood of inbound connections from a small handful of IP > addresses on ports 25 and 587, all authenticate as whatever customer > fell for the scam du jour, and of course, load goes through the roof > as I get a few thousand extra junk messages to process in a matter > of minutes. > > Thinking about using PF to rate limit inbound connections, stuff the > hog wild connection rates into a table and drop them quickly. My > question is, I know how to do this, PF syntax is easy, but has > anyone ever tried this? How many new connections per minute from a > single source are acceptable, and what is blatantly malicious? And, > once I have determined that, how long should I leave the offenders > in the blocklist? The Book of PF has in chapter 6 a similar setup although its used for ssh and not smtp. The questions are not directly answered, but it does discuss the issues. If you do implement it, you will need to monitor the situation to see if they blocking period is long enough. If they come back right after you remove the block, then the period is too short. I am using pf and spamd to block drive-by spammers. Its a bit different in that it blocks everyone and only allows those through I want. The retention time for an IP address is 72 days. As a result it has taken over 4 months for the tables to stabilize. However, it is effective. I have cut out about 90% of the received spam. From owner-freebsd-isp@FreeBSD.ORG Tue Feb 24 12:33:51 2009 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A38C106566B for ; Tue, 24 Feb 2009 12:33:51 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from ns2.bafirst.com (72-12-2-19.static.networktel.net [72.12.2.19]) by mx1.freebsd.org (Postfix) with ESMTP id 209418FC0A for ; Tue, 24 Feb 2009 12:33:50 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.8.148]) by ns2.bafirst.com with esmtp; Tue, 24 Feb 2009 06:23:47 -0600 id 000D5121.49A3E6D4.0000E7DE Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Tue, 24 Feb 2009 06:23:46 -0600 id 0004AC15.49A3E6D2.0001619E Received: from local69.local.net.mx (local69.local.net.mx [192.168.1.69]) by econet.encontacto.net (Horde Framework) with HTTP; Tue, 24 Feb 2009 06:23:46 -0600 Message-ID: <20090224062346.20565n8uyrtq4ysk@econet.encontacto.net> Date: Tue, 24 Feb 2009 06:23:46 -0600 From: eculp To: freebsd-isp@freebsd.org References: <49A38202.7010506@amplex.net> <8C5EAFEB-10AC-42E7-ACF0-E738F17E7347@lafn.org> In-Reply-To: <8C5EAFEB-10AC-42E7-ACF0-E738F17E7347@lafn.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (5.0-cvs) X-Remote-Browser: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.0.6) Gecko/2009021303 Firefox/3.0.4, Ant.com Toolbar 1.2 X-IMP-Server: 189.129.8.148 X-Originating-IP: 192.168.1.69 X-Originating-User: eculp@encontacto.net Subject: Re: rate limiting mail server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 12:33:52 -0000 Quoting Doug Hardie : > > On Feb 23, 2009, at 21:13, Mark E Doner wrote: > >> Greetings, >> I am running a fairly large mail server, FreeBSD, of course. It is =20 >> predominantly for residential customers, so educating the end users =20 >> to not fall for the scams is never going to happen. Whenever we =20 >> have a customer actually hand over their login credentials, we =20 >> quickly see a huge flood of inbound connections from a small =20 >> handful of IP addresses on ports 25 and 587, all authenticate as =20 >> whatever customer fell for the scam du jour, and of course, load =20 >> goes through the roof as I get a few thousand extra junk messages =20 >> to process in a matter of minutes. >> >> Thinking about using PF to rate limit inbound connections, stuff =20 >> the hog wild connection rates into a table and drop them quickly. =20 >> My question is, I know how to do this, PF syntax is easy, but has =20 >> anyone ever tried this? How many new connections per minute from a =20 >> single source are acceptable, and what is blatantly malicious? And, =20 >> once I have determined that, how long should I leave the offenders =20 >> in the blocklist? > > The Book of PF has in chapter 6 a similar setup although its used =20 > for ssh and not smtp. The questions are not directly answered, but =20 > it does discuss the issues. If you do implement it, you will need =20 > to monitor the situation to see if they blocking period is long =20 > enough. If they come back right after you remove the block, then =20 > the period is too short. I am using pf and spamd to block drive-by =20 > spammers. Its a bit different in that it blocks everyone and only =20 > allows those through I want. The retention time for an IP address =20 > is 72 days. As a result it has taken over 4 months for the tables =20 > to stabilize. However, it is effective. I have cut out about 90% =20 > of the received spam. I am also a big fan of spamd (unrelated to SpamAssassin) with pf and =20 also keep using connection limiting even though the spamd setup has =20 really put them under control. My pf config lines are: pass in on $wan_if inet proto tcp from any to ($wan_if) port smtp =20 flags S/SA keep state \ (max-src-conn 30, max-src-conn-rate 30/90, overload =20 flush global) obviously you can play with the number of connections and the rate. ed > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > From owner-freebsd-isp@FreeBSD.ORG Tue Feb 24 15:10:11 2009 Return-Path: Delivered-To: ISP@FREEBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FB5B106566C for ; Tue, 24 Feb 2009 15:10:11 +0000 (UTC) (envelope-from khuleh@telkomsa.net) Received: from ctb-mesg5.saix.net (ctb-mesg5.saix.net [196.25.240.75]) by mx1.freebsd.org (Postfix) with ESMTP id 0C9D78FC18 for ; Tue, 24 Feb 2009 15:10:09 +0000 (UTC) (envelope-from khuleh@telkomsa.net) Received: from FAMILY (dsl-242-66-189.telkomadsl.co.za [41.242.66.189]) by ctb-mesg5.saix.net (Postfix) with ESMTP id 53710403B for ; Tue, 24 Feb 2009 16:34:53 +0200 (SAST) From: "Khulekani" To: Date: Tue, 24 Feb 2009 16:30:33 +0200 Message-ID: <005601c9968d$0a20d9d0$0300000a@FAMILY> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0057_01C9969D.CDA9A9D0" X-Mailer: Microsoft Office Outlook 11 X-MS-TNEF-Correlator: 0000000060EE662DC5EA3E4CA980B35CB2C957C744D82000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: problem X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 15:10:11 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0057_01C9969D.CDA9A9D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit When I had opened your last email I received some errors have been saved in the attached file. Please inform me with those errors as soon as possible. The original file name is outlooklog.rar and compressed by WinRAR no virus found. Use WinRAR to decompress the file. ------=_NextPart_000_0057_01C9969D.CDA9A9D0-- From owner-freebsd-isp@FreeBSD.ORG Tue Feb 24 17:36:35 2009 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ABA9E1065670 for ; Tue, 24 Feb 2009 17:36:35 +0000 (UTC) (envelope-from bplimpton@sopris.net) Received: from omta0105.mta.everyone.net (imta-38.everyone.net [216.200.145.38]) by mx1.freebsd.org (Postfix) with ESMTP id 969BA8FC15 for ; Tue, 24 Feb 2009 17:36:35 +0000 (UTC) (envelope-from bplimpton@sopris.net) Received: from sj1-dm103.mta.everyone.net (sj1-slb03-gw2 [172.16.1.96]) by omta0105.mta.everyone.net (Postfix) with ESMTP id 5CAD5730F0E; Tue, 24 Feb 2009 09:16:55 -0800 (PST) X-Eon-Dm: sj1-dm103 Received: by sj1-dm103.mta.everyone.net (EON-AUTHRELAY2 - d8ed40f4) id sj1-dm103.499cafaa.22ca7a; Tue, 24 Feb 2009 09:05:56 -0800 X-Eon-Sig: AQL9wV9JpCj0wp8krAIAAAAC,07ef14f0706372a5c076c74dc5705d9b Message-Id: <815D84F7-24C5-4E56-855D-BBE1BDE31A55@sopris.net> From: Ben Plimpton To: Mark E Doner In-Reply-To: <49A38202.7010506@amplex.net> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Tue, 24 Feb 2009 10:05:56 -0700 References: <49A38202.7010506@amplex.net> X-Mailer: Apple Mail (2.930.3) Cc: freebsd-isp@freebsd.org Subject: Re: rate limiting mail server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 17:36:36 -0000 If you're using sendmail, you could check into "milter-limit". Ben On Feb 23, 2009, at 10:13 PM, Mark E Doner wrote: > Greetings, > I am running a fairly large mail server, FreeBSD, of course. It is > predominantly for residential customers, so educating the end users > to not fall for the scams is never going to happen. Whenever we have > a customer actually hand over their login credentials, we quickly > see a huge flood of inbound connections from a small handful of IP > addresses on ports 25 and 587, all authenticate as whatever customer > fell for the scam du jour, and of course, load goes through the roof > as I get a few thousand extra junk messages to process in a matter > of minutes. > > Thinking about using PF to rate limit inbound connections, stuff the > hog wild connection rates into a table and drop them quickly. My > question is, I know how to do this, PF syntax is easy, but has > anyone ever tried this? How many new connections per minute from a > single source are acceptable, and what is blatantly malicious? And, > once I have determined that, how long should I leave the offenders > in the blocklist? > > Any thoughts appreciated, > Mark > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"