From owner-freebsd-pf@FreeBSD.ORG Tue Dec 21 02:19:45 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC8EF16A4CE for ; Tue, 21 Dec 2004 02:19:45 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE75E43D1D for ; Tue, 21 Dec 2004 02:19:44 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iBL2DpAh090855 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 21 Dec 2004 11:13:51 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iBL2Jh23004611 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 21 Dec 2004 11:19:43 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iBL2Jg5f004610; Tue, 21 Dec 2004 11:19:42 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Tue, 21 Dec 2004 11:19:42 +0900 From: Pyun YongHyeon To: Ladislav Bodnar Message-ID: <20041221021942.GA4468@kt-is.co.kr> References: <200412171356.34608.distro.watch@msa.hinet.net> <20041217061437.GA5119@kt-is.co.kr> <200412210840.42375.distro.watch@msa.hinet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200412210840.42375.distro.watch@msa.hinet.net> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: Can pf block illegal relay access attempts? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 02:19:45 -0000 On Tue, Dec 21, 2004 at 08:40:42AM +0800, Ladislav Bodnar wrote: > On Friday 17 December 2004 14:14, Pyun YongHyeon wrote: > > On Fri, Dec 17, 2004 at 01:56:34PM +0800, Ladislav Bodnar wrote: > > > Hi, > > > > > > Over the last 7 days my Postfix mail server received almost 80,000 > > > requests to relay mail to a third destination. Since it is not an open > > > relay, it rejected all these requests, but it is still annoying to see > > > this happening. The requests came from varying (almost 20,000 > > > different) IP addresses, but they had one thing in common - the > > > destination address was always "$some-user-name"@infomagic.com. > > > > > > Is there a way to prevent these attempts to access the mail server at > > > all? I only started using pf recently, so I still have a lot to learn, > > > but I would appreciate any advice. Or is pf not the right tool for > > > this? > > > > Try spamd in ports/mail. > > Thank you for your suggestion. > > I investigated spamd and found out that it blocks connections based on IP > address only. Unfortunately, I generated almost 20,000 different IP > addresses over the last 7 days, so I don't think the IP addresses I would > block are valid. I am looking for a solution where a connection is refused > based on the recipient's email address (which is always @infomagic.com). > > Basically I am wondering if pf can refused a connection based on some other > criteria than IP address. > As you said pf can filter based on IP address. The IP address information to be used comes from other criteria(e.g. greylisting or sender/recipeint's address, header information etc.) You may want to see Daniel's page. http://www.benzedrine.cx/relaydb.html Using 20,000 different IP address is no problem at all. You will never notice performance degradation and I believe pf's table is more efficient than userland database approach as far as IP address is concerned. Redirecting to spamd in order to waste the time of spam sender or blocking the connection from spammers IP address is up to you. > Thanks a lot. -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org