From owner-freebsd-isp@FreeBSD.ORG Tue Feb 24 17:36:35 2009 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ABA9E1065670 for ; Tue, 24 Feb 2009 17:36:35 +0000 (UTC) (envelope-from bplimpton@sopris.net) Received: from omta0105.mta.everyone.net (imta-38.everyone.net [216.200.145.38]) by mx1.freebsd.org (Postfix) with ESMTP id 969BA8FC15 for ; Tue, 24 Feb 2009 17:36:35 +0000 (UTC) (envelope-from bplimpton@sopris.net) Received: from sj1-dm103.mta.everyone.net (sj1-slb03-gw2 [172.16.1.96]) by omta0105.mta.everyone.net (Postfix) with ESMTP id 5CAD5730F0E; Tue, 24 Feb 2009 09:16:55 -0800 (PST) X-Eon-Dm: sj1-dm103 Received: by sj1-dm103.mta.everyone.net (EON-AUTHRELAY2 - d8ed40f4) id sj1-dm103.499cafaa.22ca7a; Tue, 24 Feb 2009 09:05:56 -0800 X-Eon-Sig: AQL9wV9JpCj0wp8krAIAAAAC,07ef14f0706372a5c076c74dc5705d9b Message-Id: <815D84F7-24C5-4E56-855D-BBE1BDE31A55@sopris.net> From: Ben Plimpton To: Mark E Doner In-Reply-To: <49A38202.7010506@amplex.net> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Tue, 24 Feb 2009 10:05:56 -0700 References: <49A38202.7010506@amplex.net> X-Mailer: Apple Mail (2.930.3) Cc: freebsd-isp@freebsd.org Subject: Re: rate limiting mail server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 17:36:36 -0000 If you're using sendmail, you could check into "milter-limit". Ben On Feb 23, 2009, at 10:13 PM, Mark E Doner wrote: > Greetings, > I am running a fairly large mail server, FreeBSD, of course. It is > predominantly for residential customers, so educating the end users > to not fall for the scams is never going to happen. Whenever we have > a customer actually hand over their login credentials, we quickly > see a huge flood of inbound connections from a small handful of IP > addresses on ports 25 and 587, all authenticate as whatever customer > fell for the scam du jour, and of course, load goes through the roof > as I get a few thousand extra junk messages to process in a matter > of minutes. > > Thinking about using PF to rate limit inbound connections, stuff the > hog wild connection rates into a table and drop them quickly. My > question is, I know how to do this, PF syntax is easy, but has > anyone ever tried this? How many new connections per minute from a > single source are acceptable, and what is blatantly malicious? And, > once I have determined that, how long should I leave the offenders > in the blocklist? > > Any thoughts appreciated, > Mark > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"