Date: Tue, 24 Feb 2009 06:23:46 -0600 From: eculp <eculp@encontacto.net> To: freebsd-isp@freebsd.org Subject: Re: rate limiting mail server Message-ID: <20090224062346.20565n8uyrtq4ysk@econet.encontacto.net> In-Reply-To: <8C5EAFEB-10AC-42E7-ACF0-E738F17E7347@lafn.org> References: <49A38202.7010506@amplex.net> <8C5EAFEB-10AC-42E7-ACF0-E738F17E7347@lafn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Doug Hardie <bc979@lafn.org>: > > On Feb 23, 2009, at 21:13, Mark E Doner wrote: > >> Greetings, >> I am running a fairly large mail server, FreeBSD, of course. It is =20 >> predominantly for residential customers, so educating the end users =20 >> to not fall for the scams is never going to happen. Whenever we =20 >> have a customer actually hand over their login credentials, we =20 >> quickly see a huge flood of inbound connections from a small =20 >> handful of IP addresses on ports 25 and 587, all authenticate as =20 >> whatever customer fell for the scam du jour, and of course, load =20 >> goes through the roof as I get a few thousand extra junk messages =20 >> to process in a matter of minutes. >> >> Thinking about using PF to rate limit inbound connections, stuff =20 >> the hog wild connection rates into a table and drop them quickly. =20 >> My question is, I know how to do this, PF syntax is easy, but has =20 >> anyone ever tried this? How many new connections per minute from a =20 >> single source are acceptable, and what is blatantly malicious? And, =20 >> once I have determined that, how long should I leave the offenders =20 >> in the blocklist? > > The Book of PF has in chapter 6 a similar setup although its used =20 > for ssh and not smtp. The questions are not directly answered, but =20 > it does discuss the issues. If you do implement it, you will need =20 > to monitor the situation to see if they blocking period is long =20 > enough. If they come back right after you remove the block, then =20 > the period is too short. I am using pf and spamd to block drive-by =20 > spammers. Its a bit different in that it blocks everyone and only =20 > allows those through I want. The retention time for an IP address =20 > is 72 days. As a result it has taken over 4 months for the tables =20 > to stabilize. However, it is effective. I have cut out about 90% =20 > of the received spam. I am also a big fan of spamd (unrelated to SpamAssassin) with pf and =20 also keep using connection limiting even though the spamd setup has =20 really put them under control. My pf config lines are: pass in on $wan_if inet proto tcp from any to ($wan_if) port smtp =20 flags S/SA keep state \ (max-src-conn 30, max-src-conn-rate 30/90, overload <blocksmtp> =20 flush global) obviously you can play with the number of connections and the rate. ed > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090224062346.20565n8uyrtq4ysk>