From owner-freebsd-isp@FreeBSD.ORG Tue Feb 24 12:33:51 2009 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A38C106566B for ; Tue, 24 Feb 2009 12:33:51 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from ns2.bafirst.com (72-12-2-19.static.networktel.net [72.12.2.19]) by mx1.freebsd.org (Postfix) with ESMTP id 209418FC0A for ; Tue, 24 Feb 2009 12:33:50 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.8.148]) by ns2.bafirst.com with esmtp; Tue, 24 Feb 2009 06:23:47 -0600 id 000D5121.49A3E6D4.0000E7DE Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Tue, 24 Feb 2009 06:23:46 -0600 id 0004AC15.49A3E6D2.0001619E Received: from local69.local.net.mx (local69.local.net.mx [192.168.1.69]) by econet.encontacto.net (Horde Framework) with HTTP; Tue, 24 Feb 2009 06:23:46 -0600 Message-ID: <20090224062346.20565n8uyrtq4ysk@econet.encontacto.net> Date: Tue, 24 Feb 2009 06:23:46 -0600 From: eculp To: freebsd-isp@freebsd.org References: <49A38202.7010506@amplex.net> <8C5EAFEB-10AC-42E7-ACF0-E738F17E7347@lafn.org> In-Reply-To: <8C5EAFEB-10AC-42E7-ACF0-E738F17E7347@lafn.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (5.0-cvs) X-Remote-Browser: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.0.6) Gecko/2009021303 Firefox/3.0.4, Ant.com Toolbar 1.2 X-IMP-Server: 189.129.8.148 X-Originating-IP: 192.168.1.69 X-Originating-User: eculp@encontacto.net Subject: Re: rate limiting mail server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 12:33:52 -0000 Quoting Doug Hardie : > > On Feb 23, 2009, at 21:13, Mark E Doner wrote: > >> Greetings, >> I am running a fairly large mail server, FreeBSD, of course. It is =20 >> predominantly for residential customers, so educating the end users =20 >> to not fall for the scams is never going to happen. Whenever we =20 >> have a customer actually hand over their login credentials, we =20 >> quickly see a huge flood of inbound connections from a small =20 >> handful of IP addresses on ports 25 and 587, all authenticate as =20 >> whatever customer fell for the scam du jour, and of course, load =20 >> goes through the roof as I get a few thousand extra junk messages =20 >> to process in a matter of minutes. >> >> Thinking about using PF to rate limit inbound connections, stuff =20 >> the hog wild connection rates into a table and drop them quickly. =20 >> My question is, I know how to do this, PF syntax is easy, but has =20 >> anyone ever tried this? How many new connections per minute from a =20 >> single source are acceptable, and what is blatantly malicious? And, =20 >> once I have determined that, how long should I leave the offenders =20 >> in the blocklist? > > The Book of PF has in chapter 6 a similar setup although its used =20 > for ssh and not smtp. The questions are not directly answered, but =20 > it does discuss the issues. If you do implement it, you will need =20 > to monitor the situation to see if they blocking period is long =20 > enough. If they come back right after you remove the block, then =20 > the period is too short. I am using pf and spamd to block drive-by =20 > spammers. Its a bit different in that it blocks everyone and only =20 > allows those through I want. The retention time for an IP address =20 > is 72 days. As a result it has taken over 4 months for the tables =20 > to stabilize. However, it is effective. I have cut out about 90% =20 > of the received spam. I am also a big fan of spamd (unrelated to SpamAssassin) with pf and =20 also keep using connection limiting even though the spamd setup has =20 really put them under control. My pf config lines are: pass in on $wan_if inet proto tcp from any to ($wan_if) port smtp =20 flags S/SA keep state \ (max-src-conn 30, max-src-conn-rate 30/90, overload =20 flush global) obviously you can play with the number of connections and the rate. ed > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >