From owner-freebsd-isp@FreeBSD.ORG Tue Feb 24 05:24:21 2009 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50CC5106564A for ; Tue, 24 Feb 2009 05:24:21 +0000 (UTC) (envelope-from nuintari@amplex.net) Received: from sylvio.amplex.net (sylvio.amplex.net [64.246.100.10]) by mx1.freebsd.org (Postfix) with ESMTP id 140168FC08 for ; Tue, 24 Feb 2009 05:24:20 +0000 (UTC) (envelope-from nuintari@amplex.net) Received: from localhost (tony.nfs0.amplex.net [172.16.50.246]) by sylvio.amplex.net (8.13.3/8.13.3) with ESMTP id n1O5DobK064251 for ; Tue, 24 Feb 2009 00:13:50 -0500 (EST) (envelope-from nuintari@amplex.net) X-Virus-Scanned: amavisd-new at amplex.net Received: from sylvio.amplex.net ([172.16.50.245]) by localhost (tony.amplex.net [172.16.50.246]) (amavisd-new, port 10024) with LMTP id s3n-eoA+u+lV for ; Tue, 24 Feb 2009 00:13:44 -0500 (EST) Received: from nympho.assylum.nuintari.net (nympho.assylum.nuintari.net [64.246.119.65]) (authenticated bits=0) by sylvio.amplex.net (8.13.3/8.14.2) with ESMTP id n1O5Dd2i064073 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 24 Feb 2009 00:13:39 -0500 (EST) (envelope-from nuintari@amplex.net) Message-ID: <49A38202.7010506@amplex.net> Date: Tue, 24 Feb 2009 00:13:38 -0500 From: Mark E Doner User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: freebsd-isp@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: rate limiting mail server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 05:24:21 -0000 Greetings, I am running a fairly large mail server, FreeBSD, of course. It is predominantly for residential customers, so educating the end users to not fall for the scams is never going to happen. Whenever we have a customer actually hand over their login credentials, we quickly see a huge flood of inbound connections from a small handful of IP addresses on ports 25 and 587, all authenticate as whatever customer fell for the scam du jour, and of course, load goes through the roof as I get a few thousand extra junk messages to process in a matter of minutes. Thinking about using PF to rate limit inbound connections, stuff the hog wild connection rates into a table and drop them quickly. My question is, I know how to do this, PF syntax is easy, but has anyone ever tried this? How many new connections per minute from a single source are acceptable, and what is blatantly malicious? And, once I have determined that, how long should I leave the offenders in the blocklist? Any thoughts appreciated, Mark