From owner-freebsd-isp@FreeBSD.ORG Tue Feb 24 08:30:39 2009 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA285106564A for ; Tue, 24 Feb 2009 08:30:39 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoom.lafn.org (zoom.lafn.org [206.117.18.8]) by mx1.freebsd.org (Postfix) with ESMTP id 664138FC1A for ; Tue, 24 Feb 2009 08:30:39 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from [10.0.1.195] (pool-71-109-162-173.lsanca.dsl-w.verizon.net [71.109.162.173]) (authenticated bits=0) by zoom.lafn.org (8.14.2/8.14.2) with ESMTP id n1O8GnP1012643 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 24 Feb 2009 00:16:50 -0800 (PST) (envelope-from bc979@lafn.org) Message-Id: <8C5EAFEB-10AC-42E7-ACF0-E738F17E7347@lafn.org> From: Doug Hardie To: Mark E Doner In-Reply-To: <49A38202.7010506@amplex.net> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Tue, 24 Feb 2009 00:16:49 -0800 References: <49A38202.7010506@amplex.net> X-Mailer: Apple Mail (2.930.3) X-Virus-Scanned: ClamAV version 0.92.1, clamav-milter version 0.92.1 on zoom.lafn.org X-Virus-Status: Clean Cc: freebsd-isp@freebsd.org Subject: Re: rate limiting mail server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 08:30:40 -0000 On Feb 23, 2009, at 21:13, Mark E Doner wrote: > Greetings, > I am running a fairly large mail server, FreeBSD, of course. It is > predominantly for residential customers, so educating the end users > to not fall for the scams is never going to happen. Whenever we have > a customer actually hand over their login credentials, we quickly > see a huge flood of inbound connections from a small handful of IP > addresses on ports 25 and 587, all authenticate as whatever customer > fell for the scam du jour, and of course, load goes through the roof > as I get a few thousand extra junk messages to process in a matter > of minutes. > > Thinking about using PF to rate limit inbound connections, stuff the > hog wild connection rates into a table and drop them quickly. My > question is, I know how to do this, PF syntax is easy, but has > anyone ever tried this? How many new connections per minute from a > single source are acceptable, and what is blatantly malicious? And, > once I have determined that, how long should I leave the offenders > in the blocklist? The Book of PF has in chapter 6 a similar setup although its used for ssh and not smtp. The questions are not directly answered, but it does discuss the issues. If you do implement it, you will need to monitor the situation to see if they blocking period is long enough. If they come back right after you remove the block, then the period is too short. I am using pf and spamd to block drive-by spammers. Its a bit different in that it blocks everyone and only allows those through I want. The retention time for an IP address is 72 days. As a result it has taken over 4 months for the tables to stabilize. However, it is effective. I have cut out about 90% of the received spam.