Date: Tue, 24 Feb 2009 06:23:46 -0600 From: eculp <eculp@encontacto.net> To: freebsd-isp@freebsd.org Subject: Re: rate limiting mail server Message-ID: <20090224062346.20565n8uyrtq4ysk@econet.encontacto.net> In-Reply-To: <8C5EAFEB-10AC-42E7-ACF0-E738F17E7347@lafn.org> References: <49A38202.7010506@amplex.net> <8C5EAFEB-10AC-42E7-ACF0-E738F17E7347@lafn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Doug Hardie <bc979@lafn.org>:
>
> On Feb 23, 2009, at 21:13, Mark E Doner wrote:
>
>> Greetings,
>> I am running a fairly large mail server, FreeBSD, of course. It is =20
>> predominantly for residential customers, so educating the end users =20
>> to not fall for the scams is never going to happen. Whenever we =20
>> have a customer actually hand over their login credentials, we =20
>> quickly see a huge flood of inbound connections from a small =20
>> handful of IP addresses on ports 25 and 587, all authenticate as =20
>> whatever customer fell for the scam du jour, and of course, load =20
>> goes through the roof as I get a few thousand extra junk messages =20
>> to process in a matter of minutes.
>>
>> Thinking about using PF to rate limit inbound connections, stuff =20
>> the hog wild connection rates into a table and drop them quickly. =20
>> My question is, I know how to do this, PF syntax is easy, but has =20
>> anyone ever tried this? How many new connections per minute from a =20
>> single source are acceptable, and what is blatantly malicious? And, =20
>> once I have determined that, how long should I leave the offenders =20
>> in the blocklist?
>
> The Book of PF has in chapter 6 a similar setup although its used =20
> for ssh and not smtp. The questions are not directly answered, but =20
> it does discuss the issues. If you do implement it, you will need =20
> to monitor the situation to see if they blocking period is long =20
> enough. If they come back right after you remove the block, then =20
> the period is too short. I am using pf and spamd to block drive-by =20
> spammers. Its a bit different in that it blocks everyone and only =20
> allows those through I want. The retention time for an IP address =20
> is 72 days. As a result it has taken over 4 months for the tables =20
> to stabilize. However, it is effective. I have cut out about 90% =20
> of the received spam.
I am also a big fan of spamd (unrelated to SpamAssassin) with pf and =20
also keep using connection limiting even though the spamd setup has =20
really put them under control. My pf config lines are:
pass in on $wan_if inet proto tcp from any to ($wan_if) port smtp =20
flags S/SA keep state \
(max-src-conn 30, max-src-conn-rate 30/90, overload <blocksmtp> =20
flush global)
obviously you can play with the number of connections and the rate.
ed
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090224062346.20565n8uyrtq4ysk>