From owner-freebsd-pf@FreeBSD.ORG Tue Feb 6 12:56:31 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 219AD16A400 for ; Tue, 6 Feb 2007 12:56:31 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from mx27.mail.ru (mx27.mail.ru [194.67.23.64]) by mx1.freebsd.org (Postfix) with ESMTP id D385113C49D for ; Tue, 6 Feb 2007 12:56:30 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from [80.244.229.35] (port=10730 helo=VLADIMIR) by mx27.mail.ru with asmtp id 1HEPs4-0003ug-00 for freebsd-pf@freebsd.org; Tue, 06 Feb 2007 15:56:29 +0300 X-Nat-Received: from [192.168.1.110]:4281 [ident-empty] by smtp-proxy.vltele.com with TPROXY id 1170766425.15813 Date: Tue, 6 Feb 2007 15:56:25 +0300 From: Vladimir Kapustin X-Mailer: The Bat! (v3.85.03) Professional Organization: vltele.com X-Priority: 3 (Normal) Message-ID: <859855731.20070206155625@mail.ru> To: freebsd-pf@freebsd.org References: E1HD4Bj-000D25-00.msgs_for_me-mail-ru@f30.mail.ru MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Kapustin List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 12:56:31 -0000 >> 2. If i have some malware on my PC and use mail-client program. If I send the same message some times I automatically get >into WHITE-list and my malware can spam as much as it must? > >Not really related to your spamd problem, but probably useful... > >If you need to limit an internal client system for sending out mail >through your system, IMO you may also use pf's limit functions. > >Imagine something like: > >pass in quick on $int_if from any to $int_if port smtp keep state >(max-src-conn 1, max-src-conn-rate 2/60) > >This should limit an internal client to one concurrent connection >and a maximum of 2 connections per 60 seconds and so mass mailing by >abusing your mail gateway should be impossible. > >Combining this by a rule like 'block in quick on $int_if from any to >! $int_if port smtp' should efficiently block spam originating from >your internal net. > Yes, it seems to be a good idea, if I can combine this method with spamd functionality. I have similar iptables filter on my recent Linux gateway, but with the growth of network effectivity began to decrease. >And for the malware issues, I would like to recommend not to install >and use malware! ;) > Earlier, I've caught some spammers and blocked their IP in LAN - it was a good motivation to set up antiviruses and another useful soft. I'm thinking about combination (if it this is possible) of these two methods and I'd like to add some more functionality into your method : any IP, that tries to send more than max-src-conn-rate will be put in some table and all IPs from these tables will be automatically blocked on smtp port and some other - to make more demonstrable to IP-keepers that they have some malware.