From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 17:28:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9B68C16A40A for ; Thu, 8 Feb 2007 17:28:22 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from farris.bafirst.com (adsl-065-081-102-002.sip.jan.bellsouth.net [65.81.102.2]) by mx1.freebsd.org (Postfix) with ESMTP id BC69C13C4B5 for ; Thu, 8 Feb 2007 17:28:19 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.2.116]) by farris.bafirst.com with esmtp; Thu, 08 Feb 2007 11:17:57 -0600 id 0006D415.45CB5B45.0000ED1F Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Thu, 08 Feb 2007 11:17:56 -0600 id 0004AC20.45CB5B44.0000B5A0 Received: from dsl-189-129-2-116.prod-infinitum.com.mx (dsl-189-129-2-116.prod-infinitum.com.mx [189.129.2.116]) by correo.encontacto.net (Horde MIME library) with HTTP; Thu, 08 Feb 2007 11:17:55 -0600 Message-ID: <20070208111755.81jaocgn4w880k4g@correo.encontacto.net> X-Priority: 3 (Normal) Date: Thu, 08 Feb 2007 11:17:55 -0600 From: "eculp@encontacto.net" To: freebsd-pf@freebsd.org References: <45C5D5DB.9050407@vwsoft.com> In-Reply-To: <45C5D5DB.9050407@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-cvs) Subject: Re: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 17:28:22 -0000 Quoting Volker : > On 12/23/-58 20:59, =12;048<8@ =1A0?CAB8=3D wrote: >> 2. If i have some malware on my PC and use mail-client program. If =20 >> I send the same message some times I automatically get into =20 >> WHITE-list and my malware can spam as much as it must? > > Not really related to your spamd problem, but probably useful... > > If you need to limit an internal client system for sending out mail > through your system, IMO you may also use pf's limit functions. > > Imagine something like: > > pass in quick on $int_if from any to $int_if port smtp keep state > (max-src-conn 1, max-src-conn-rate 2/60) > > This should limit an internal client to one concurrent connection > and a maximum of 2 connections per 60 seconds and so mass mailing by > abusing your mail gateway should be impossible. > > Combining this by a rule like 'block in quick on $int_if from any to > ! $int_if port smtp' should efficiently block spam originating from > your internal net. Has anyone tried using a table and blocking smtp connections similar =20 to the ssh brute force solution that I've often seen on the list and =20 have been using happily for some time? Something like: pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep stat= e (max-src-conn 1, max-src-conn-rate 2/60, overload =20 flush global) block drop in quick on $ext_if from Could it work and be controlable or would it make a bad situation worse? Thanks, ed > > And for the malware issues, I would like to recommend not to install > and use malware! ;) > > Greetings, > > Volker