Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 31 May 2007 09:41:02 -0700
From:      snowcrash <schneecrash+pf@gmail.com>
To:        freebsd-pf <freebsd-pf@freebsd.org>
Subject:   how best to block this port 25 traffic/spam?
Message-ID:  <70f41ba20705310941l62a95d98s22651e2ec5fed7fb@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 

hi,

i use fbsd 6.2-release/p5's pf + spamd v4.1.1 to manage port 25 traffic.

in my pf.conf, i've

  ...
  set require-order no
  ...
  nat on $extif from $intif:network to any -> ($extif)
  ...
  no rdr on $extif from <MXbl> to any tag MXbl
  block log quick tagged MXbl label "(MXbl)"
  ...
  rdr      on $extif proto tcp from  <MXwl>        to $MXwan   port 25
-> $MXlan    port 25
  rdr pass on $extif proto tcp from  <spamd>       to ($extif) port 25
-> 127.0.0.1 port 8025
  rdr pass on $extif proto tcp from !<spamd-white> to ($extif) port 25
-> 127.0.0.1 port 8025
  rdr      on $extif proto tcp from  <spamd-white> to $MXwan   port 25
-> $MXlan    port 25
  ...
  pass in  log quick on $extif proto tcp from { <MXwl>, <spamd-white>
} to $MXlan port 25 keep-state
  pass out log quick on $extif proto tcp from any
 to any    port 25 keep-state
  pass out log quick on $intif proto tcp from $MXlan
 to any    port 25 keep-state
  ...

all works great!

in my spamd logs, i'm seeing lots of

  May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37:
<kinnavysou@hotmail.com> -> <aa@mydomain.com>
  May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37:
<kinnavysou@hotmail.com> -> <bb@mydomain.com>
  May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37:
<kinnavysou@hotmail.com> -> <cc@mydomain.com>

characterized by,

(1) forged FROM: @hotmail.com
(2) multiple connections per second from a given IP
(3) 100% of the IPs are in Spamhaus PBL &/or CBL dnsbls; anything that
_does_ sneak past the spamd stutter etc gets dropped anyway.

i'd LIKE to simply BLOCK, with NO logging, these nosiy, from-@-hotmail
connections at the fw PRIOR to spamd ever seeing them.

iiuc, my options to do so include:

 (a) install a small SMTP server on the router to ONLY reject at CBL
*prior* to passing on to spamd
 (b) use the same SMTP server to reject FROM: == *@hotmail
 (b) DL/rsync the whole CBL into a local pf/spamd table
 (c) throttle # of connections / second, and add to pf block element
if match/exceed

thoughts/comments on the 'best' approach?

thanks!

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?70f41ba20705310941l62a95d98s22651e2ec5fed7fb>