From owner-freebsd-isp@FreeBSD.ORG Tue Feb 24 06:07:09 2009 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C23691065670 for ; Tue, 24 Feb 2009 06:07:09 +0000 (UTC) (envelope-from tbriggs@apid.com) Received: from boromir.api-digital.com (boromir.api-digital.com [63.238.52.143]) by mx1.freebsd.org (Postfix) with ESMTP id 9BF578FC14 for ; Tue, 24 Feb 2009 06:07:09 +0000 (UTC) (envelope-from tbriggs@apid.com) Received: from Trey-Briggs-Computer.local (unknown [67.132.245.172]) by boromir.api-digital.com (Postfix) with ESMTPA id 4A9D187F71; Mon, 23 Feb 2009 23:48:33 -0600 (CST) Message-ID: <49A38A2E.4040303@apid.com> Date: Mon, 23 Feb 2009 23:48:30 -0600 From: Trey Briggs User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Mark E Doner References: <49A38202.7010506@amplex.net> In-Reply-To: <49A38202.7010506@amplex.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at api-digital.com Cc: freebsd-isp@freebsd.org Subject: Re: rate limiting mail server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 06:07:10 -0000 I'm currently using a postfix-policyd-sf with an 'smtpd_restriction_classes' line setup in postfix to catch outbound traffic. I limit users to 250 outbound messages an hour, if this is hit 3 times, I block the IP for 12 hours. This has kept our servers off of all blacklists for 6 months now, and only incurred the wrath of a small handful of our customers :) . -Trey Mark E Doner wrote: > Greetings, > I am running a fairly large mail server, FreeBSD, of course. It is > predominantly for residential customers, so educating the end users to > not fall for the scams is never going to happen. Whenever we have a > customer actually hand over their login credentials, we quickly see a > huge flood of inbound connections from a small handful of IP addresses > on ports 25 and 587, all authenticate as whatever customer fell for > the scam du jour, and of course, load goes through the roof as I get a > few thousand extra junk messages to process in a matter of minutes. > > Thinking about using PF to rate limit inbound connections, stuff the > hog wild connection rates into a table and drop them quickly. My > question is, I know how to do this, PF syntax is easy, but has anyone > ever tried this? How many new connections per minute from a single > source are acceptable, and what is blatantly malicious? And, once I > have determined that, how long should I leave the offenders in the > blocklist? > > Any thoughts appreciated, > Mark > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > >