Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 1 Mar 2009 13:31:07 -0800 (PST)
From:      Barney Cordoba <barney_cordoba@yahoo.com>
To:        Mark E Doner <nuintari@amplex.net>
Cc:        net@freebsd.org
Subject:   Re: rate limiting mail server
Message-ID:  <407473.34181.qm@web63901.mail.re1.yahoo.com>
In-Reply-To: <49A38202.7010506@amplex.net>
next in thread | previous in thread | raw e-mail | index | archive | help 




--- On Tue, 2/24/09, Mark E Doner <nuintari@amplex.net> wrote:

> From: Mark E Doner <nuintari@amplex.net>
> Subject: rate limiting mail server
> To: freebsd-isp@freebsd.org
> Date: Tuesday, February 24, 2009, 12:13 AM
> Greetings,
>    I am running a fairly large mail server, FreeBSD, of
> course. It is predominantly for residential customers, so
> educating the end users to not fall for the scams is never
> going to happen. Whenever we have a customer actually hand
> over their login credentials, we quickly see a huge flood of
> inbound connections from a small handful of IP addresses on
> ports 25 and 587, all authenticate as whatever customer fell
> for the scam du jour, and of course, load goes through the
> roof as I get a few thousand extra junk messages to process
> in a matter of minutes.
> 
> Thinking about using PF to rate limit inbound connections,
> stuff the hog wild connection rates into a table and drop
> them quickly. My question is, I know how to do this, PF
> syntax is easy, but has anyone ever tried this? How many new
> connections per minute from a single source are acceptable,
> and what is blatantly malicious? And, once I have determined
> that, how long should I leave the offenders in the
> blocklist?
> 
> Any thoughts appreciated,
> Mark

A better strategy is to identify the spam source and just block it. The
way we do it is that we look for unusual domain traffic from a single 
source and then block the source. I haven't figured out a way to automate
it yet but it works very well. 

You don't really want to rate limit mail spammers. They go on for many hours .

BC

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?407473.34181.qm>