From owner-freebsd-net@FreeBSD.ORG Sun Mar 1 21:57:54 2009 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AAFB41065673 for ; Sun, 1 Mar 2009 21:57:54 +0000 (UTC) (envelope-from barney_cordoba@yahoo.com) Received: from web63901.mail.re1.yahoo.com (web63901.mail.re1.yahoo.com [69.147.97.116]) by mx1.freebsd.org (Postfix) with SMTP id 571B68FC22 for ; Sun, 1 Mar 2009 21:57:53 +0000 (UTC) (envelope-from barney_cordoba@yahoo.com) Received: (qmail 38408 invoked by uid 60001); 1 Mar 2009 21:31:12 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1235943072; bh=W/uuTkSCZw5GGjPNA7FQopXupejPYb+C9mTa3j+C2Ec=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=emO6KBW+/HJ5NsR5ZS2CPK0V8bL7dZ59yRyu+lS+r2TrXehoJFMCQa0V4cKHFKBGid7qdOxLPqgATy+PHYDhruz4LJH1fYQm8WCGcGaeGMUpEP0fHhS9lS5Zmm+Hd24Th3iBUUXCBFr9QUW26e78puTY8d/edCoInotcY5n6zsM= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=ohTEavgW40CRkznQ1QPhaRp3j3T2kMJHGE3T7xqotZPRoPnaxwwKLhGftgURTF7VzawYhMo7TiZ4/XEqg186pwdYH5+LeEALalLFZetsCorGt7n0Sz+1fB60mHmTbCvApeUcywDIgCs2o17glS4z38kp7HTMEGEbjTNTWrfHfBE=; Message-ID: <407473.34181.qm@web63901.mail.re1.yahoo.com> X-YMail-OSG: cw92zw4VM1mIQh8Xl4xWv8Hu6TGeDEd1.F2taiyQ27KDP3ytwg3dQZ0vnjRV8KtsKJMymgitberNe4O_y8um1heSMb5s2X8gfC4dkIyi3pXDj9Zjt.nR55y5e6AaDot.zq_jPL4qOSGvHU.oNLhefj5A2rOHGH1fgft1fYKj04pf.XV4PWvvLMSlldjc_g-- Received: from [98.242.222.229] by web63901.mail.re1.yahoo.com via HTTP; Sun, 01 Mar 2009 13:31:07 PST X-Mailer: YahooMailWebService/0.7.289.1 Date: Sun, 1 Mar 2009 13:31:07 -0800 (PST) From: Barney Cordoba To: Mark E Doner In-Reply-To: <49A38202.7010506@amplex.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: net@freebsd.org Subject: Re: rate limiting mail server X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: barney_cordoba@yahoo.com List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 21:57:54 -0000 --- On Tue, 2/24/09, Mark E Doner wrote: > From: Mark E Doner > Subject: rate limiting mail server > To: freebsd-isp@freebsd.org > Date: Tuesday, February 24, 2009, 12:13 AM > Greetings, > I am running a fairly large mail server, FreeBSD, of > course. It is predominantly for residential customers, so > educating the end users to not fall for the scams is never > going to happen. Whenever we have a customer actually hand > over their login credentials, we quickly see a huge flood of > inbound connections from a small handful of IP addresses on > ports 25 and 587, all authenticate as whatever customer fell > for the scam du jour, and of course, load goes through the > roof as I get a few thousand extra junk messages to process > in a matter of minutes. > > Thinking about using PF to rate limit inbound connections, > stuff the hog wild connection rates into a table and drop > them quickly. My question is, I know how to do this, PF > syntax is easy, but has anyone ever tried this? How many new > connections per minute from a single source are acceptable, > and what is blatantly malicious? And, once I have determined > that, how long should I leave the offenders in the > blocklist? > > Any thoughts appreciated, > Mark A better strategy is to identify the spam source and just block it. The way we do it is that we look for unusual domain traffic from a single source and then block the source. I haven't figured out a way to automate it yet but it works very well. You don't really want to rate limit mail spammers. They go on for many hours . BC