Barney Cordoba escreveu:
--- On Tue, 2/24/09, Mark E Doner <nuint...@amplex.net> wrote:
From: Mark E Doner <nuint...@amplex.net>
Subject: rate limiting mail server
To: freebsd-...@freebsd.org
Date: Tuesday, February 24, 2009, 12:13 AM
Greetings,
I am running a fairly large mail server, FreeBSD, of
course. It is predominantly for residential customers, so
educating the end users to not fall for the scams is never
going to happen. Whenever we have a customer actually hand
over their login credentials, we quickly see a huge flood of
inbound connections from a small handful of IP addresses on
ports 25 and 587, all authenticate as whatever customer fell
for the scam du jour, and of course, load goes through the
roof as I get a few thousand extra junk messages to process
in a matter of minutes.
Thinking about using PF to rate limit inbound connections,
stuff the hog wild connection rates into a table and drop
them quickly. My question is, I know how to do this, PF
syntax is easy, but has anyone ever tried this? How many new
connections per minute from a single source are acceptable,
and what is blatantly malicious? And, once I have determined
that, how long should I leave the offenders in the
blocklist?
Any thoughts appreciated,
Mark
A better strategy is to identify the spam source and just block it. The
way we do it is that we look for unusual domain traffic from a single
source and then block the source. I haven't figured out a way to automate
it yet but it works very well.
You don't really want to rate limit mail spammers. They go on for many hours .
BC
IMHO, what you could potentially do is adding maximum recipients' limit
per SMTP session, for your customers (relay access IPs), combining it
with tarpiting, while on the firewall side, all you do (my suggestion)
is just limiting the simultaneous access per source IP. Remember that
you might have NATed customers so limiting per IP dont do it way too
limited (2 to 5 simultaneous sessions is probably enough due to your
"residential" usage profile).
Finally, you didnt mention your MTA. If its Qmail there is a great
plugins framework called qmail-spp and it already has a rate control
plugin to be used. While qmail-spp is not (yet) available in the Ports
Collection I have working patches for qmail-ldap and qmail-spamassassin,
which can both be applied from Ports directly (will send-pr(1) to garga@
in the near future...).
Those are usually my own approaches to slow down my users' message
floods. If you mention your MTA maybe we can be of further assistance.
--
Patrick Tracanelli
FreeBSD Brasil LTDA.
Tel.: (31) 3516-0800
316...@sip.freebsdbrasil.com.br
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
